Bug#1109611: bookworm-pu: package commons-beanutils/1.9.4-1+deb12u1

Adrian Bunk bunk at debian.org
Sun Jul 20 21:10:37 BST 2025 

Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
X-Debbugs-Cc: commons-beanutils at packages.debian.org, security at debian.org
Control: affects -1 + src:commons-beanutils
User: release.debian.org at packages.debian.org
Usertags: pu

  * CVE-2025-48734: Improper access control (Closes: #1106746)

Tagged moreinfo, as question to the security team whether they want
this in pu or as DSA.
-------------- next part --------------
diffstat for commons-beanutils-1.9.4 commons-beanutils-1.9.4

 changelog                                                               |    7 
 patches/0001-Add-org.apache.commons.beanutils.SuppressPropertiesB.patch |   99 ++++++++++
 patches/series                                                          |    1 
 3 files changed, 107 insertions(+)

diff -Nru commons-beanutils-1.9.4/debian/changelog commons-beanutils-1.9.4/debian/changelog
--- commons-beanutils-1.9.4/debian/changelog	2019-08-17 03:51:58.000000000 +0300
+++ commons-beanutils-1.9.4/debian/changelog	2025-07-17 16:14:22.000000000 +0300
@@ -1,3 +1,10 @@
+commons-beanutils (1.9.4-1+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2025-48734: Improper access control (Closes: #1106746)
+
+ -- Adrian Bunk <bunk at debian.org>  Thu, 17 Jul 2025 16:14:22 +0300
+
 commons-beanutils (1.9.4-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru commons-beanutils-1.9.4/debian/patches/0001-Add-org.apache.commons.beanutils.SuppressPropertiesB.patch commons-beanutils-1.9.4/debian/patches/0001-Add-org.apache.commons.beanutils.SuppressPropertiesB.patch
--- commons-beanutils-1.9.4/debian/patches/0001-Add-org.apache.commons.beanutils.SuppressPropertiesB.patch	1970-01-01 02:00:00.000000000 +0200
+++ commons-beanutils-1.9.4/debian/patches/0001-Add-org.apache.commons.beanutils.SuppressPropertiesB.patch	2025-07-17 16:14:13.000000000 +0300
@@ -0,0 +1,99 @@
+From 74813c8599360cfecfb7310600f6ed8e513f1218 Mon Sep 17 00:00:00 2001
+From: Gary Gregory <garydgregory at gmail.com>
+Date: Sun, 25 May 2025 09:07:32 -0400
+Subject: Add
+ org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS
+
+---
+ .../commons/beanutils/PropertyUtilsBean.java  |  1 +
+ .../SuppressPropertiesBeanIntrospector.java   | 22 ++++++++++++-------
+ .../commons/beanutils/package-info.java       | 18 ++++++++++-----
+ 3 files changed, 27 insertions(+), 14 deletions(-)
+
+diff --git a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
+index 36eb7f57..04d99576 100644
+--- a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
++++ b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
+@@ -189,6 +189,7 @@ public class PropertyUtilsBean {
+         introspectors.clear();
+         introspectors.add(DefaultBeanIntrospector.INSTANCE);
+         introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
++        introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS);
+     }
+ 
+     /**
+diff --git a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
+index bd6b2cdc..9331884c 100644
+--- a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
++++ b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
+@@ -37,16 +37,22 @@ import java.util.Set;
+  * @since 1.9.2
+  */
+ public class SuppressPropertiesBeanIntrospector implements BeanIntrospector {
++
++    /**
++     * A specialized instance which is configured to suppress the special {@code class} properties of Java beans. Unintended access to the property
++     * {@code class} (which is common to all Java objects) can be a security risk because it also allows access to the class loader. Adding this instance as
++     * {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no longer be accessed.
++     */
++    public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS = new SuppressPropertiesBeanIntrospector(Collections.singleton("class"));
++
+     /**
+-     * A specialized instance which is configured to suppress the special {@code class}
+-     * properties of Java beans. Unintended access to the property {@code class} (which is
+-     * common to all Java objects) can be a security risk because it also allows access to
+-     * the class loader. Adding this instance as {@code BeanIntrospector} to an instance
+-     * of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no
+-     * longer be accessed.
++     * A specialized instance which is configured to suppress the special {@code class} properties of Java beans. Unintended access to the call for
++     * {@code declaringClass} (which is common to all Java {@code enum}) can be a security risk because it also allows access to the class loader. Adding this
++     * instance as {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no longer be
++     * accessed.
+      */
+-    public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS =
+-            new SuppressPropertiesBeanIntrospector(Collections.singleton("class"));
++    public static final SuppressPropertiesBeanIntrospector SUPPRESS_DECLARING_CLASS = new SuppressPropertiesBeanIntrospector(
++            Collections.singleton("declaringClass"));
+ 
+     /** A set with the names of the properties to be suppressed. */
+     private final Set<String> propertyNames;
+diff --git a/src/main/java/org/apache/commons/beanutils/package-info.java b/src/main/java/org/apache/commons/beanutils/package-info.java
+index 3cb9d34c..287573af 100644
+--- a/src/main/java/org/apache/commons/beanutils/package-info.java
++++ b/src/main/java/org/apache/commons/beanutils/package-info.java
+@@ -429,20 +429,26 @@
+  * then be removed if they have been detected by other <code>BeanIntrospector</code>
+  * instances during processing of a bean class.</p>
+  *
+- * <p>A good use case for suppressing properties is the special <code>class</code>
++ * <p>A good use case for suppressing properties is the special {@code class}
+  * property which is per default available for all beans; it is generated from the
+- * <code>getClass()</code> method inherited from <code>Object</code> which follows the
++ * {@code getClass()} method inherited from {@code Object} which follows the
+  * naming conventions for property get methods. Exposing this property in an
+  * uncontrolled way can lead to a security vulnerability as it allows access to
+  * the class loader. More information can be found at
+  * <a href="https://issues.apache.org/jira/browse/BEANUTILS-463">
+  * https://issues.apache.org/jira/browse/BEANUTILS-463</a>.</p>
+  *
+- * <p>Because the <code>class</code> property is undesired in many use cases
+- * there is already an instance of <code>SuppressPropertiesBeanIntrospector</code>
++ * <p>Because the {@code class} property is undesired in many use cases
++ * there is already an instance of {@code SuppressPropertiesBeanIntrospector}
+  * which is configured to suppress this property. It can be obtained via the
+- * <code>SUPPRESS_CLASS</code> constant of
+- * <code>SuppressPropertiesBeanIntrospector</code>.</p>
++ * {@code SUPPRESS_CLASS} constant of
++ * {@code SuppressPropertiesBeanIntrospector}.</p>
++ *
++ * <p>Another problematic property is the {@code enum} "declaredClass" property,
++ * through which you can also access that class' class loader. The {@code SuppressPropertiesBeanIntrospector}
++ * provides {@code SUPPRESS_DECLARING_CLASS} to workaround this issue.</p>
++ *
++ * <p>Both {@code SUPPRESS_CLASS} and {@code SUPPRESS_DECLARING_CLASS} are enabled by default.</p>
+  *
+  * <a name="dynamic"></a>
+  * <h1>3. Dynamic Beans (DynaBeans)</h1>
+-- 
+2.30.2
+
diff -Nru commons-beanutils-1.9.4/debian/patches/series commons-beanutils-1.9.4/debian/patches/series
--- commons-beanutils-1.9.4/debian/patches/series	2019-08-17 03:25:36.000000000 +0300
+++ commons-beanutils-1.9.4/debian/patches/series	2025-07-17 16:14:22.000000000 +0300
@@ -1 +1,2 @@
 01-disable-beanmaptestcase.patch
+0001-Add-org.apache.commons.beanutils.SuppressPropertiesB.patch

More information about the pkg-java-maintainers mailing list