Bug#1112669: bookworm-pu: package libcommons-lang-java/2.6-10+deb12u1
Daniel Leidert
dleidert at debian.org
Sun Aug 31 19:05:25 BST 2025
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libcommons-lang-java at packages.debian.org
Control: affects -1 + src:libcommons-lang-java
User: release.debian.org at packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
[ Reason ]
This upload attempts to fix CVE-2025-48924, an uncontrolled recursion
vulnerability that can lead to a StackOverflowError, for users of Debian
Bookworm.
[ Impact ]
If the update is not approved, users might be affected by CVE-2025-48924.
[ Tests ]
The patch adds a new test to check if the fix is successful. I also did some
successful manual testing.
[ Risks ]
There is the risk of regression. But the patch is rather small and tested.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The patch uses (a backported) rewrite that avoids the recursion.
[ Other info ]
The issue has been fixed in LTS/ELTS as well.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmi0juUACgkQS80FZ8KW
0F06NA//dQqPpjOfhcRiIXI0RnDFcEGc01LA8mVAVpMZympIgZsdBS/tBN8nqWIl
tdwWEw4pb9s5qW3PeMXKx68bLPujcE9PbBzm3GVh3/jPhJ5j1rfaNXAo2LP/kCtW
Ty9EjifG1scchs8XhrzbQu5qSGNqC2ntnOZ4EepdKv92Z6j5k/7jCONM3q6vywot
zM9kh66GV/vDlE6U7KyM79ls7QX6me1fRfKYfG0IAkCi0Q8calBsOYEK6iqV10lf
awLR9Jgs9w3D12cyRZiiv5qYlaHyLOGNqJxuHiGRvP0Wm/LjPaZKTN4IvHWjLqY2
E1t1H7BkRoTYyY1rLFcWoxdayw13WgASo8zSO3ltYq2BAURaUvPqSrKL0voeIavS
SjQumLRPwcEfU3+dDzZTI8U9LZ4+g/ewarMvWvPO2D4rlKLBJwaaqej1xOjYzQV/
a6yeGjBbdRAHxH9b7QySXg+BI3YAYW9e5X2jUblGvNNTQT4N3ot/ccoVZWZXwKuz
V5FDpbTGtz7cjYC5oxsgA1/JIIHt21ZYNE/MVnhV3R1Hf2EVWXYtyu+pVPI65wFr
1nkVTxM9kBJYp3ovAX7aLNie5a30AbkxDIDv46sPPi5Azn0yxMQK9vvahnRX3wlQ
DYHzgDWJGT0fb2M+EuJGF6kuHyjV/Z5zZnbJsu3FE2I3uGrn59Y=
=b4vE
-----END PGP SIGNATURE-----
-------------- next part --------------
diff -Nru libcommons-lang-java-2.6/debian/changelog libcommons-lang-java-2.6/debian/changelog
--- libcommons-lang-java-2.6/debian/changelog 2022-05-23 11:24:24.000000000 +0200
+++ libcommons-lang-java-2.6/debian/changelog 2025-08-31 19:06:43.000000000 +0200
@@ -1,3 +1,11 @@
+libcommons-lang-java (2.6-10+deb12u1) bookworm; urgency=medium
+
+ * Team upload.
+ * d/patches/CVE-2025-48924.patch: Add patch to fix CVE-2025-48924.
+ - Fix an uncontrolled recursion vulnerability (closes: 1109126).
+
+ -- Daniel Leidert <dleidert at debian.org> Sun, 31 Aug 2025 19:06:43 +0200
+
libcommons-lang-java (2.6-10) unstable; urgency=medium
* Fixed the build failure with Java 17 (Closes: #1011120)
diff -Nru libcommons-lang-java-2.6/debian/gbp.conf libcommons-lang-java-2.6/debian/gbp.conf
--- libcommons-lang-java-2.6/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100
+++ libcommons-lang-java-2.6/debian/gbp.conf 2025-08-31 19:06:43.000000000 +0200
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch = debian/bookworm
+pristine-tar = True
diff -Nru libcommons-lang-java-2.6/debian/patches/CVE-2025-48924.patch libcommons-lang-java-2.6/debian/patches/CVE-2025-48924.patch
--- libcommons-lang-java-2.6/debian/patches/CVE-2025-48924.patch 1970-01-01 01:00:00.000000000 +0100
+++ libcommons-lang-java-2.6/debian/patches/CVE-2025-48924.patch 2025-08-31 19:06:43.000000000 +0200
@@ -0,0 +1,162 @@
+From: Gary Gregory <garydgregory at gmail.com>
+Date: Sat, 21 Sep 2024 17:23:08 -0400
+Subject: [PATCH] Rewrite ClassUtils.getClass() without recursion to avoid
+ StackOverflowError on very long inputs.
+
+- This was found fuzz testing Apache Commons Text which relies on
+ClassUtils.
+- OssFuzz Issue 42522972:
+apache-commons-text:StringSubstitutorInterpolatorFuzzer: Security
+exception in org.apache.commons.lang3.ClassUtils.getClass
+
+Reviewed-By: Daniel Leidert <dleidert at debian.org>
+Origin: https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53
+Bug: https://github.com/advisories/GHSA-j288-q9x7-2f5v
+Bug-Debian: https://bugs.debian.org/1109126
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-48924
+Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2025-48924
+---
+ .../java/org/apache/commons/lang/ClassUtils.java | 46 ++++++++++-----------
+ .../apache/commons/lang/ClassUtilsOssFuzzTest.java | Bin 0 -> 17588 bytes
+ 2 files changed, 22 insertions(+), 24 deletions(-)
+ create mode 100644 src/test/java/org/apache/commons/lang/ClassUtilsOssFuzzTest.java
+
+diff --git a/src/main/java/org/apache/commons/lang/ClassUtils.java b/src/main/java/org/apache/commons/lang/ClassUtils.java
+index 82665e2..3d463d9 100644
+--- a/src/main/java/org/apache/commons/lang/ClassUtils.java
++++ b/src/main/java/org/apache/commons/lang/ClassUtils.java
+@@ -748,30 +748,27 @@ public class ClassUtils {
+ */
+ public static Class getClass(
+ ClassLoader classLoader, String className, boolean initialize) throws ClassNotFoundException {
+- try {
+- Class clazz;
+- if (abbreviationMap.containsKey(className)) {
+- String clsName = "[" + abbreviationMap.get(className);
+- clazz = Class.forName(clsName, initialize, classLoader).getComponentType();
+- } else {
+- clazz = Class.forName(toCanonicalName(className), initialize, classLoader);
+- }
+- return clazz;
+- } catch (ClassNotFoundException ex) {
+- // allow path separators (.) as inner class name separators
+- int lastDotIndex = className.lastIndexOf(PACKAGE_SEPARATOR_CHAR);
+-
+- if (lastDotIndex != -1) {
+- try {
+- return getClass(classLoader, className.substring(0, lastDotIndex) +
+- INNER_CLASS_SEPARATOR_CHAR + className.substring(lastDotIndex + 1),
+- initialize);
+- } catch (ClassNotFoundException ex2) {
++ // This method was re-written to avoid recursion and stack overflows found by fuzz testing.
++ String next = className;
++ int lastDotIndex = -1;
++ do {
++ try {
++ Class clazz;
++ if (abbreviationMap.containsKey(className)) {
++ String clsName = "[" + abbreviationMap.get(className);
++ clazz = Class.forName(clsName, initialize, classLoader).getComponentType();
++ } else {
++ clazz = Class.forName(toCanonicalName(className), initialize, classLoader);
++ }
++ return clazz;
++ } catch (final ClassNotFoundException ex) {
++ lastDotIndex = next.lastIndexOf(PACKAGE_SEPARATOR_CHAR);
++ if (lastDotIndex != -1) {
++ next = next.substring(0, lastDotIndex) + INNER_CLASS_SEPARATOR_CHAR + next.substring(lastDotIndex + 1);
+ }
+ }
+-
+- throw ex;
+- }
++ } while (lastDotIndex != -1);
++ throw new ClassNotFoundException(next);
+ }
+
+ /**
+@@ -886,11 +883,12 @@ public class ClassUtils {
+ */
+ private static String toCanonicalName(String className) {
+ className = StringUtils.deleteWhitespace(className);
++ final String arrayMarker = "[]";
+ if (className == null) {
+ throw new NullArgumentException("className");
+- } else if (className.endsWith("[]")) {
++ } else if (className.endsWith(arrayMarker)) {
+ StrBuilder classNameBuffer = new StrBuilder();
+- while (className.endsWith("[]")) {
++ while (className.endsWith(arrayMarker)) {
+ className = className.substring(0, className.length() - 2);
+ classNameBuffer.append("[");
+ }
+diff --git a/src/test/java/org/apache/commons/lang/ClassUtilsOssFuzzTest.java b/src/test/java/org/apache/commons/lang/ClassUtilsOssFuzzTest.java
+new file mode 100644
+index 0000000..5ab7334
+--- /dev/null
++++ b/src/test/java/org/apache/commons/lang/ClassUtilsOssFuzzTest.java
+@@ -0,0 +1,64 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++package org.apache.commons.lang;
++
++import junit.framework.TestCase;
++
++/**
++ * Tests {@link ClassUtils}.
++ */
++public class ClassUtilsOssFuzzTest extends TestCase {
++
++ public ClassUtilsOssFuzzTest(String name) {
++ super(name);
++ }
++
++ /**
++ * Tests that no StackOverflowError is thrown.
++ * <p>
++ * OSS-Fuzz Issue 42522972: apache-commons-text:StringSubstitutorInterpolatorFuzzer: Security exception in org.apache.commons.lang.ClassUtils.getClass
++ * </p>
++ */
++ public void testGetClassLongIllegalName() throws Exception {
++ // Input from Commons Text clusterfuzz-testcase-StringSubstitutorInterpolatorFuzzer-5447769450741760
++ assertGetClassThrowsClassNotFound(
++ "?da?~e]W] ~ t $t ${.u base64encoder{con+s {.u base64encoder{con+s ~ t .................... ................??????????�&${localho�t:??????4?�......... ...............�..........s${.!. ${..? \\E],${con?� EEE]W?E?E.! ${.u base64encoder{con?� EEE]W?E?E.! ${.u base64encoder{con+s ~ t ....................................??????????�&${localho�t:??????-636?�.............................................................�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - -....�.. t]V]W?E?E.! $${.u - - }" );
++ }
++
++ /**
++ * Tests that no StackOverflowError is thrown.
++ */
++
++ public void testGetClassLongName() throws Exception {
++ assertGetClassThrowsClassNotFound( StringUtils.repeat("a.", 5_000) + "b" );
++ }
++
++ private void assertGetClassThrowsClassNotFound( String className ) throws Exception {
++ assertGetClassThrowsException( className, ClassNotFoundException.class );
++ }
++
++ private void assertGetClassThrowsException( String className, Class exceptionType ) throws Exception {
++ try {
++ ClassUtils.getClass( className );
++ fail( "ClassUtils.getClass() should fail with an exception of type " + exceptionType.getName() + " when given class name \"" + className + "\"." );
++ }
++ catch( Exception e ) {
++ assertTrue( exceptionType.isAssignableFrom( e.getClass() ) );
++ }
++ }
++}
diff -Nru libcommons-lang-java-2.6/debian/patches/series libcommons-lang-java-2.6/debian/patches/series
--- libcommons-lang-java-2.6/debian/patches/series 2022-05-23 11:23:11.000000000 +0200
+++ libcommons-lang-java-2.6/debian/patches/series 2025-08-31 19:06:43.000000000 +0200
@@ -1,2 +1,3 @@
01-source-encoding.patch
02-java17-compatibility.patch
+CVE-2025-48924.patch
More information about the pkg-java-maintainers
mailing list