Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
X-Debbugs-Cc: commons-beanut...@packages.debian.org, secur...@debian.org
Control: affects -1 + src:commons-beanutils
User: release.debian....@packages.debian.org
Usertags: pu
* CVE-2025-48734: Improper access control (Closes: #1106746)
Tagged moreinfo, as question to the security team whether they want
this in pu or as DSA.
diffstat for commons-beanutils-1.9.4 commons-beanutils-1.9.4
changelog | 7
patches/0001-Add-org.apache.commons.beanutils.SuppressPropertiesB.patch | 99
++++++++++
patches/series | 1
3 files changed, 107 insertions(+)
diff -Nru commons-beanutils-1.9.4/debian/changelog
commons-beanutils-1.9.4/debian/changelog
--- commons-beanutils-1.9.4/debian/changelog 2019-08-17 03:51:58.000000000
+0300
+++ commons-beanutils-1.9.4/debian/changelog 2025-07-17 16:14:22.000000000
+0300
@@ -1,3 +1,10 @@
+commons-beanutils (1.9.4-1+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2025-48734: Improper access control (Closes: #1106746)
+
+ -- Adrian Bunk <b...@debian.org> Thu, 17 Jul 2025 16:14:22 +0300
+
commons-beanutils (1.9.4-1) unstable; urgency=medium
* New upstream release
diff -Nru
commons-beanutils-1.9.4/debian/patches/0001-Add-org.apache.commons.beanutils.SuppressPropertiesB.patch
commons-beanutils-1.9.4/debian/patches/0001-Add-org.apache.commons.beanutils.SuppressPropertiesB.patch
---
commons-beanutils-1.9.4/debian/patches/0001-Add-org.apache.commons.beanutils.SuppressPropertiesB.patch
1970-01-01 02:00:00.000000000 +0200
+++
commons-beanutils-1.9.4/debian/patches/0001-Add-org.apache.commons.beanutils.SuppressPropertiesB.patch
2025-07-17 16:14:13.000000000 +0300
@@ -0,0 +1,99 @@
+From 74813c8599360cfecfb7310600f6ed8e513f1218 Mon Sep 17 00:00:00 2001
+From: Gary Gregory <garydgreg...@gmail.com>
+Date: Sun, 25 May 2025 09:07:32 -0400
+Subject: Add
+
org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS
+
+---
+ .../commons/beanutils/PropertyUtilsBean.java | 1 +
+ .../SuppressPropertiesBeanIntrospector.java | 22 ++++++++++++-------
+ .../commons/beanutils/package-info.java | 18 ++++++++++-----
+ 3 files changed, 27 insertions(+), 14 deletions(-)
+
+diff --git a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
+index 36eb7f57..04d99576 100644
+--- a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
++++ b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
+@@ -189,6 +189,7 @@ public class PropertyUtilsBean {
+ introspectors.clear();
+ introspectors.add(DefaultBeanIntrospector.INSTANCE);
+ introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
++
introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS);
+ }
+
+ /**
+diff --git
a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
+index bd6b2cdc..9331884c 100644
+---
a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
++++
b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
+@@ -37,16 +37,22 @@ import java.util.Set;
+ * @since 1.9.2
+ */
+ public class SuppressPropertiesBeanIntrospector implements BeanIntrospector {
++
++ /**
++ * A specialized instance which is configured to suppress the special
{@code class} properties of Java beans. Unintended access to the property
++ * {@code class} (which is common to all Java objects) can be a security
risk because it also allows access to the class loader. Adding this instance as
++ * {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean}
suppresses the {@code class} property; it can then no longer be accessed.
++ */
++ public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS =
new SuppressPropertiesBeanIntrospector(Collections.singleton("class"));
++
+ /**
+- * A specialized instance which is configured to suppress the special
{@code class}
+- * properties of Java beans. Unintended access to the property {@code
class} (which is
+- * common to all Java objects) can be a security risk because it also
allows access to
+- * the class loader. Adding this instance as {@code BeanIntrospector} to
an instance
+- * of {@code PropertyUtilsBean} suppresses the {@code class} property; it
can then no
+- * longer be accessed.
++ * A specialized instance which is configured to suppress the special
{@code class} properties of Java beans. Unintended access to the call for
++ * {@code declaringClass} (which is common to all Java {@code enum}) can
be a security risk because it also allows access to the class loader. Adding
this
++ * instance as {@code BeanIntrospector} to an instance of {@code
PropertyUtilsBean} suppresses the {@code class} property; it can then no longer
be
++ * accessed.
+ */
+- public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS =
+- new
SuppressPropertiesBeanIntrospector(Collections.singleton("class"));
++ public static final SuppressPropertiesBeanIntrospector
SUPPRESS_DECLARING_CLASS = new SuppressPropertiesBeanIntrospector(
++ Collections.singleton("declaringClass"));
+
+ /** A set with the names of the properties to be suppressed. */
+ private final Set<String> propertyNames;
+diff --git a/src/main/java/org/apache/commons/beanutils/package-info.java
b/src/main/java/org/apache/commons/beanutils/package-info.java
+index 3cb9d34c..287573af 100644
+--- a/src/main/java/org/apache/commons/beanutils/package-info.java
++++ b/src/main/java/org/apache/commons/beanutils/package-info.java
+@@ -429,20 +429,26 @@
+ * then be removed if they have been detected by other
<code>BeanIntrospector</code>
+ * instances during processing of a bean class.</p>
+ *
+- * <p>A good use case for suppressing properties is the special
<code>class</code>
++ * <p>A good use case for suppressing properties is the special {@code class}
+ * property which is per default available for all beans; it is generated
from the
+- * <code>getClass()</code> method inherited from <code>Object</code> which
follows the
++ * {@code getClass()} method inherited from {@code Object} which follows the
+ * naming conventions for property get methods. Exposing this property in an
+ * uncontrolled way can lead to a security vulnerability as it allows access
to
+ * the class loader. More information can be found at
+ * <a href="https://issues.apache.org/jira/browse/BEANUTILS-463";>
+ * https://issues.apache.org/jira/browse/BEANUTILS-463</a>.</p>
+ *
+- * <p>Because the <code>class</code> property is undesired in many use cases
+- * there is already an instance of
<code>SuppressPropertiesBeanIntrospector</code>
++ * <p>Because the {@code class} property is undesired in many use cases
++ * there is already an instance of {@code SuppressPropertiesBeanIntrospector}
+ * which is configured to suppress this property. It can be obtained via the
+- * <code>SUPPRESS_CLASS</code> constant of
+- * <code>SuppressPropertiesBeanIntrospector</code>.</p>
++ * {@code SUPPRESS_CLASS} constant of
++ * {@code SuppressPropertiesBeanIntrospector}.</p>
++ *
++ * <p>Another problematic property is the {@code enum} "declaredClass"
property,
++ * through which you can also access that class' class loader. The {@code
SuppressPropertiesBeanIntrospector}
++ * provides {@code SUPPRESS_DECLARING_CLASS} to workaround this issue.</p>
++ *
++ * <p>Both {@code SUPPRESS_CLASS} and {@code SUPPRESS_DECLARING_CLASS} are
enabled by default.</p>
+ *
+ * <a name="dynamic"></a>
+ * <h1>3. Dynamic Beans (DynaBeans)</h1>
+--
+2.30.2
+
diff -Nru commons-beanutils-1.9.4/debian/patches/series
commons-beanutils-1.9.4/debian/patches/series
--- commons-beanutils-1.9.4/debian/patches/series 2019-08-17
03:25:36.000000000 +0300
+++ commons-beanutils-1.9.4/debian/patches/series 2025-07-17
16:14:22.000000000 +0300
@@ -1 +1,2 @@
01-disable-beanmaptestcase.patch
+0001-Add-org.apache.commons.beanutils.SuppressPropertiesB.patch
