Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp2820352lqt; Tue, 23 Apr 2024 02:36:37 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXG1/NGVcxJzM6vBpYA8T3cIKsoSDAFifo1lOjVKGpj+0USGST4LcC1RZbh8+idtu3ELcKb9FzZ81XVPG+d0fToe7V38JyM1BLffjRosQ== X-Google-Smtp-Source: AGHT+IEDVwLqaYqwOzp/Vwb1ntOYTiKxE85sqGctzpMjp7iup/dAjNo3RflNdidqqDMnIvG5HNw+ X-Received: by 2002:a05:6512:483:b0:516:d0e3:9275 with SMTP id v3-20020a056512048300b00516d0e39275mr7628178lfq.11.1713864996822; Tue, 23 Apr 2024 02:36:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713864996; cv=none; d=google.com; s=arc-20160816; b=ED0t0PH0IqD9j2Hm4+j80PGaIaFppFE3cT/bgdE0XtC/A6al1hOZfP2dSm5tAuXtPq XRUDxQqTXW5/cAFJ063EQnLD6wPaMh0xsdaWDYZWUu2g5aZmDJvKpVgY/jDEsqgQkVax GNQzg/3fRcKytyPiz4YD/i1I0SgLba27fwEC15EqBVpwea1oG+lkLQQkSeWrwHI1YCtt j18cxPWL7aCHdAul/VvHgorF6/knRSHB7GetW8Nvnzbn69YtdBT/UKhwQqB46TGdAHFx ZErhD5qRJHXi8IegUGSCZcE7pByZ32TLNUviweAQ2sBOrVu/o2v1qWQm2boyQDg5zk6B DADw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:content-transfer-encoding:autocrypt:from:cc :content-language:to:user-agent:mime-version:date:message-id :dkim-signature:delivered-to:delivered-to:reply-to:list-id :list-subscribe:list-unsubscribe:list-help:list-post:precedence :mailing-list; bh=l5UL9v8I4meRW/87u2+HUK62fI5PnHiDSCN8v4LTvhM=; fh=vVYxL2jAz2HR4cXzBtHbJmp+zc/Knt8PcoV8gkRKuRk=; b=RHbY7ImT2eMfdUAeQfTAEtZo5JfFXuLxAiXjAGrf1twHsgVMJD1y/8N6w/I2fMNpye LaDEz1vEIBEkrmCDh49NWSH9eMbwHqOeN5nJRd9K86IvIlVIxpuHj65PQhu/jnQ5NwPg nUziYK3hjSux/3GmPxC/pEi/+yn8hLvHa2XTG5vFINLeCFyNO0zPAjTHKZWiEROd0Gid 0oiLdjagdCbfvXrftghFq0VS8TXHbjIfaMFKIyV38jT0LT1K88I0I1CINOabRYmEf5NX rjkIAJyJqWS4jIBaGJORWc9HswoPfy48EcnwKpwfW+7N1KAbxRN9cWHrQZ+a5mQ1z2NY zc1w==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@canonical.com header.s=20210705 header.b=nZZbdCcJ; spf=pass (google.com: domain of oss-security-return-30074-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30074-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id f14-20020a056402354e00b005720d0778cdsi2371262edd.165.2024.04.23.02.36.36 for ; Tue, 23 Apr 2024 02:36:36 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30074-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=fail header.i=@canonical.com header.s=20210705 header.b=nZZbdCcJ; spf=pass (google.com: domain of oss-security-return-30074-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30074-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (qmail 22475 invoked by uid 550); 23 Apr 2024 09:36:21 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 30489 invoked from network); 22 Apr 2024 23:52:49 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1713829961; bh=l5UL9v8I4meRW/87u2+HUK62fI5PnHiDSCN8v4LTvhM=; h=Message-ID:Date:MIME-Version:To:Cc:From:Subject:Content-Type; b=nZZbdCcJsWgtGYb7XUDg7xRPeL3ocmBrYw4+hf67tJYK9xNY2tMQLBgJPDwiSbiHs 8p6EHfPizTtzIT7diF8xwZhYwuyECbo9hCw4MosJEPn5KWJNLUKMqiBXMcgVw9eIN7 gcMMVpgSDqm3iNjft6Yp+gt0PHXx1Vgpy77U246cSpS357B0MOHSdQrJ8norJenH2r e0dO9FeUJBc6TYSBUP0HvEhDh+tqm5P4LbNZsR/lvJT9x4PVVDiWp9ji3GlUwDDvbH e1DSJixuxXNcduF8jnBbUEz2md1C0DZjsOB4E7unVCZa9NSpbMcwjAswzJV92ppf4L tRT1q804chhOw== Message-ID: <9faeb4d3-8b70-4be8-947c-f8e27be2df9d@canonical.com> Date: Mon, 22 Apr 2024 18:52:39 -0500 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: oss-security@lists.openwall.com Content-Language: en-US Cc: Yash Patel , "Dr. Parag H. Rughani" From: Mark Esler Autocrypt: addr=mark.esler@canonical.com; keydata= xsFNBGJo5iQBEADBDrePgICrxsoCWxlAiEKAgZgqeX1XhHxhDCkprNwOA9ZEU7G977BEHgYL SrAh3LraWYK+piBXBuHdg8KCUppUmEC4GtiHg+KxtxRjgZn/tjLD6vgZkwZYs0KXQVCK2bhS L0paEA78Xcx1B6xa8JArnjk87VoNl6RCjJESXkwlqGtQTEOpbNxBy5Pd0T33xYeKcOz0GWY5 ndkU1gD7NtMZdWZ8vcQclLquQO5OE33OhK78cU4Zk4xFL5I5R4rBhlrOsw002bbD0+QI6wUK QByHfvcAz59eHS/wJOrAY/1p+IKql/4fsRQQSRPSc+3CqELdxzF2s+AG0PciQms3RVYT6czH 28Ce9C9BDAENga28FvQDf5ZiSTUeXZm0XJ9g+dLg+6FBPHp9wX+ybfAmIRXQlV4D6DledQAW joBy3j09JOGQGSH0S3EbQ68Qn2xyGBlYeFCZbMlKDN8NrpVCx9Jf6dDb3Qv2Do1yIIRu5x0v wKlNsQG0NffMryLCQ0tVBNNiwqrHIbmZEhSUEmKf6u+zZsx1JMewe6fRw3hf3VOzENH5tGpZ Z1Yg8m3E2yiXmPJ9cX3iZD0l7/L8CEiuMWt/q/NEDnKsGovi9N1r04Yxxo5lWoHr+4taaOnC 2C7YEHICIWx3lEU0lm24PbNG4QBJCJ8ctwG2rV3AMILCVSzW0QARAQABzSVNYXJrIEVzbGVy IDxtYXJrLmVzbGVyQGNhbm9uaWNhbC5jb20+wsGUBBMBCgA+FiEELTsQ/oZuJMqL99Qt1guD yQUTvU8FAmJo5iQCGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ1guDyQUT vU/Gqw/9F5ko+KS9CRXXcp4SkdhHB6aGtD9rEJycEywPymmI+OwCJppmbQBzzwW7QGLHi8TT iWnWMSeikhSh0p9pPCc9rhLttYDlGZwoxXPt7PwS0k9JjITNviTNZD6uHIoYmFMxS65qdh7s 7OSQj4+nTij1b+dVqzaG4krGB/pav2D2adt4k02KfqIkPiLY0Jo+o8hKOx2HRh8xqEU/eySR tVvIx55cD4Qh63KQv465Afz+QuKsbxuqA2iboUP/srYtMQtFi8TCF7/5gLwDbGDgOAYhIxyf vgAH5dbBFB8lIMPjIeTbP0lE+xMHUmQsKhtYICnjhnGRJeT6vBlDFuUar5DYA3fIm9LEAf1T 1eMK4FBUSCv+cULlT9+rsHDbG6tiZU/BDp/mkKFs2Ax9W68+fgXy7borixrgDhfSCsYWaxLs XW/GEmyCbp30PZlLr6kvfQq7CMEjeE79FEsef7/ppRH/t+mv6p2xhb+DDbvqzcQZ7LQn3+PL xkR37spQRvevPxpx000CqTO5gV19w/2ZSPydm2Zd44XSranzwDdD4o5ZsMXAPuCNlVAVzxAh xNj2QQL7xh9bdDDmM9Z7qBPwFX42n7mwryjBHqMtrSCSI8hupSh2B/bQSRyWd3/KQ2vlJMoq 7H5EJiJYpb3blvb4tfoSfEagPqYV1jJEcKImOGs988rOwU0EYmjmJAEQAL0wGwC8P1qj0fuL aFpPKBAFtxBqnJJcc+63DjQ17/QJrYpKwGGkW6fz/Nn0nUDf88FdrHd7t6a9c3m82/gvsr8V jAD4SISpDjPIpfCj5gWGAuhATWB0pwjWRsgFkIThaa0px6ZJFGdU9lJmi633Xsk4s9bws8kZ pnwtk+StRueqcSElfLw1/gbu6EhcEH62iBb2qlRhgtntgy1dcnqDEQhcdccWSgna+ZlDIo3Z 75RWoIXxrtzUe9PDdG4Ou+k/H96mS7pZdmU6elbQlcDGYegYGH6OTYjvZyl81ACN9Y3Fcmc+ luBMeuyQndHFnG6rjOwHr6iM9ZKRBq03QiAAp4vooPyLqG9nZmoeLH0Q7L2pVIwroVtsJvnj ws5z3DujguZcLYCeA/WEXj8p0lYy9WVGrfJ7LyLp+Uj7AdXFB6msED51Swb6QkpWrcC7V2CO KZmfYGXFy7PdIwWeqgYjJ0zqEldHGDTDV0yTuuER2bJ/T1WBVy9U46/KRUXYevgCZFGPbyO/ vKLwKVbrbkimULMFcPJpKinFPQs0ch7HA6PPog0wbux5Bm9O78lzYo/WFlvofFKTzfGEsnif CVXkcsu0Qp8m6DQZyeFO8SH3DHaHFaPKc3JYEFTdmP0PdvH8aqb5TVTb8G+hvxktDkCuCrla oFVSCNhIWfJ6rAxxYGuNABEBAAHCwXwEGAEKACYWIQQtOxD+hm4kyov31C3WC4PJBRO9TwUC YmjmJAIbDAUJA8JnAAAKCRDWC4PJBRO9T3SnEACEprj9LsxvhbM6A/aLk3la8UD9MYtLSmbl +KPGEvP0r7viPftolgV8O+tRG09Z7Wd/63WsHjA2Psgwdm49BziL8tCfONfVXCojPxR/uyL5 ykPHSE/yC+mz3DTPWcncGCdteil6Cw43MHNCm2oYJ38VXAwV9pikHeO5Pj5xukmc/bQr3v3N rDQI+AQpNbWs2r4vw+y01IidmMh12RkuGi2UYOgajvfDeoSSEF7VJ6Qlij9UjatkbZpSHjn2 rf+B9DdlkRNr5Vfd9/xaSFQoazdgNS/QHqOeZ+9HqNrUlHTH9BUaTkmV6MDXtEjVGfROXxXP w/q29QUzZUZE3agqmuxB3yarPjW24mNu5Kd22rb06blTfBO0o7DOX9UwOVLfFLejfWAYANuX ilcju9/3dHRsv6o99tGfRxJIMOPVY6JgswYISB7CwdA+Uda6UvU+qwYCRi7B8L13H3uhDKzA 5sgRZnz2oQw+bOB/ErZv78NVnhrdy9LAkLk0U8RVvH8sWPco4ZjQVou6wDMEsKaIlioU8x6n YOi8LBpijWpaKEpCbU4nRdV/4d3eWr7tu1MWGcm70C6mrjypxI6TVCPg+gimjM4D7LOpJKZJ VGQg9JYPUhccp27Nn/3L2/Y9F3tKUfCTPHanOzHg4KNRRUr8CQD8qi+8nWqztY9OeZjz0vag YA== Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: [oss-security] 83 bogus CVEs assigned to Robot Operating System (ROS) Yash Patel and Dr. Parag Rughani are credited as the discoverers for eighty-three recent CVEs affecting ROS 2 which the MITRE TL-Root CNA assigned. All CVE descriptions are written at a very high, vague, level. No specifics or evidence has been provided to backup vulnerability claims. Three CVEs (CVE-2023-33565, CVE-2023-33566, and CVE-2023-33567) reference the discoverer's 2022 ACM paper "Analyzing Security Vulnerability and Forensic Investigation of ROS2: A Case Study" [0]. The more technical portion of this paper was confirmed [1] to be based on a ROS 2 beginner tutorial [2]. The paper does not attribute ROS 2 documentation. Some CVEs claim that a security update will be forthcoming from the ROS 2 development team [3]. Privately [4], ROS 2 core developers stated that they were not contacted and "came to the conclusion that [these CVEs] were likely not real security vulnerabilities.". Certain CVEs describe unlikely situations. For instance, CVE-2024-30737 claims: "A critical vulnerability has been identified in ROS Kinetic Kame, particularly in configurations with ROS_VERSION=1 and ROS_PYTHON_VERSION=3." [5]. ROS Kinetic Kame supports Python 2, not Python 3. Frankly, all descriptions appear to be copy-pasted or generated to _sound_ like security issues. No evidence has been provided in the ACM paper or the 83 CVEs to suggest that vulnerabilities actually exist. CVE revocation requests have been sent to MITRE and CVE descriptions have been appended with: "NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability." The CVE IDs are: CVE-2023-33565, CVE-2023-33566, CVE-2023-33567, CVE-2023-51197, CVE-2023-51198, CVE-2023-51199, CVE-2023-51200, CVE-2023-51201, CVE-2023-51202, CVE-2023-51204, CVE-2023-51208, CVE-2024-29439, CVE-2024-29440, CVE-2024-29441, CVE-2024-29442, CVE-2024-29443, CVE-2024-29444, CVE-2024-29445, CVE-2024-29447, CVE-2024-29448, CVE-2024-29449, CVE-2024-29450, CVE-2024-29452, CVE-2024-29454, CVE-2024-29455, CVE-2024-30657, CVE-2024-30658, CVE-2024-30659, CVE-2024-30661, CVE-2024-30662, CVE-2024-30663, CVE-2024-30665, CVE-2024-30666, CVE-2024-30667, CVE-2024-30672, CVE-2024-30674, CVE-2024-30675, CVE-2024-30676, CVE-2024-30678, CVE-2024-30679, CVE-2024-30680, CVE-2024-30681, CVE-2024-30683, CVE-2024-30684, CVE-2024-30686, CVE-2024-30687, CVE-2024-30688, CVE-2024-30690, CVE-2024-30691, CVE-2024-30692, CVE-2024-30694, CVE-2024-30695, CVE-2024-30696, CVE-2024-30697, CVE-2024-30699, CVE-2024-30701, CVE-2024-30702, CVE-2024-30703, CVE-2024-30704, CVE-2024-30706, CVE-2024-30707, CVE-2024-30708, CVE-2024-30710, CVE-2024-30711, CVE-2024-30712, CVE-2024-30713, CVE-2024-30715, CVE-2024-30716, CVE-2024-30718, CVE-2024-30719, CVE-2024-30721, CVE-2024-30722, CVE-2024-30723, CVE-2024-30724, CVE-2024-30726, CVE-2024-30727, CVE-2024-30728, CVE-2024-30729, CVE-2024-30730, CVE-2024-30733, CVE-2024-30735, CVE-2024-30736, and CVE-2024-30737 Many thanks to Florencia Cabral Berenfus for her analysis of these claims! Mark Esler [0] https://dl.acm.org/doi/abs/10.1145/3573910.3573912 [1] https://github.com/yashpatelphd/CVE-2024-30737/issues/1 [2] https://docs.ros.org/en/foxy/Tutorials/Beginner-Client-Libraries/Writing-A-Simple-Py-Service-And-Client.html [3] https://github.com/yashpatelphd/CVE-2023-33565 [4] message ID [5] https://github.com/yashpatelphd/CVE-2024-30737