Source: ros-dynamic-reconfigure Version: 1.7.3-1 Severity: important Tags: security upstream Forwarded: https://github.com/ros/dynamic_reconfigure/pull/202 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1.7.3-2
Hi, The following vulnerability was published for ros-dynamic-reconfigure. CVE-2024-39780[0]: | A YAML deserialization vulnerability was found in the Robot | Operating System (ROS) 'dynparam', a command-line tool for getting, | setting, and deleting parameters of a dynamically configurable node, | affecting ROS distributions Noetic and earlier. The issue is caused | by the use of the yaml.load() function in the 'set' and 'get' verbs, | and allows for the creation of arbitrary Python objects. Through | this flaw, a local or remote user can craft and execute arbitrary | Python code. This issue has now been fixed for ROS Noetic via commit | 3d93ac13603438323d7e9fa74e879e45c5fe2e8e. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-39780 https://www.cve.org/CVERecord?id=CVE-2024-39780 [1] https://github.com/ros/dynamic_reconfigure/pull/202 [2] https://github.com/ros/dynamic_reconfigure/commit/9975cc8b55b3039115da6662cc7279cc65303844 Regards, Salvatore
