CVE-2024-41921

NameCVE-2024-41921
DescriptionA code injection vulnerability has been discovered in the Robot Operating System (ROS) 'rostopic' command-line tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability lies in the 'echo' verb, which allows a user to introspect a ROS topic and accepts a user-provided Python expression via the --filter option. This input is passed directly to the eval() function without sanitization, allowing a local user to craft and execute arbitrary code.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1110773

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ros-ros-comm (PTS)bullseye1.15.9+ds1-7+deb11u1vulnerable
bookworm1.15.15+ds-2vulnerable
forky, trixie1.17.0+ds-2vulnerable
sid1.17.4+ds-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ros-ros-commsource(unstable)(unfixed)unimportant1110773

Notes

Bogus report, all input to eval comes from trusted input
Search for package or bug name: Reporting problems