diff --git a/.apache-commons-beanutils.metadata b/.apache-commons-beanutils.metadata deleted file mode 100644 index 6b1f265..0000000 --- a/.apache-commons-beanutils.metadata +++ /dev/null @@ -1 +0,0 @@ -be947cc3eb478da23abe564d27c527f30bf526b8 SOURCES/commons-beanutils-1.9.4-src.tar.gz diff --git a/.gitignore b/.gitignore index 00dd024..6246a29 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/commons-beanutils-1.9.4-src.tar.gz +commons-beanutils-1.9.4-src.tar.gz diff --git a/0001-Fix-CVE-2025-48734.patch b/0001-Fix-CVE-2025-48734.patch new file mode 100644 index 0000000..f4f5816 --- /dev/null +++ b/0001-Fix-CVE-2025-48734.patch @@ -0,0 +1,66 @@ +From 50e55ddeda5b26730a74f1a00871a8e0bf5a2131 Mon Sep 17 00:00:00 2001 +From: Gary Gregory +Date: Sun, 25 May 2025 09:07:32 -0400 +Subject: [PATCH] Fix CVE-2025-48734 + +Backported from upstream commit 28ad955a1613ed5885870cc7da52093c1ce739dc +--- + .../apache/commons/beanutils/PropertyUtilsBean.java | 1 + + .../beanutils/SuppressPropertiesBeanIntrospector.java | 11 +++++++++++ + .../org/apache/commons/beanutils/package-info.java | 6 ++++++ + 3 files changed, 18 insertions(+) + +diff --git a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java +index 36eb7f57..04d99576 100644 +--- a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java ++++ b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java +@@ -189,6 +189,7 @@ public class PropertyUtilsBean { + introspectors.clear(); + introspectors.add(DefaultBeanIntrospector.INSTANCE); + introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS); ++ introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS); + } + + /** +diff --git a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java +index bd6b2cdc..cff34969 100644 +--- a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java ++++ b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java +@@ -48,6 +48,17 @@ public class SuppressPropertiesBeanIntrospector implements BeanIntrospector { + public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS = + new SuppressPropertiesBeanIntrospector(Collections.singleton("class")); + ++ /** ++ * A specialized instance which is configured to suppress the special {@code class} properties of Java beans. Unintended access to the call for ++ * {@code declaringClass} (which is common to all Java {@code enum}) can be a security risk because it also allows access to the class loader. Adding this ++ * instance as {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no longer be ++ * accessed. ++ * ++ * @since 1.11.0 ++ */ ++ public static final SuppressPropertiesBeanIntrospector SUPPRESS_DECLARING_CLASS = new SuppressPropertiesBeanIntrospector( ++ Collections.singleton("declaringClass")); ++ + /** A set with the names of the properties to be suppressed. */ + private final Set propertyNames; + +diff --git a/src/main/java/org/apache/commons/beanutils/package-info.java b/src/main/java/org/apache/commons/beanutils/package-info.java +index 3cb9d34c..ac8d2a1f 100644 +--- a/src/main/java/org/apache/commons/beanutils/package-info.java ++++ b/src/main/java/org/apache/commons/beanutils/package-info.java +@@ -444,6 +444,12 @@ + * SUPPRESS_CLASS constant of + * SuppressPropertiesBeanIntrospector.

+ * ++ *

Another problematic property is the {@code enum} "declaredClass" property, ++ * through which you can also access that class' class loader. The {@code SuppressPropertiesBeanIntrospector} ++ * provides {@code SUPPRESS_DECLARING_CLASS} to workaround this issue.

++ * ++ *

Both {@code SUPPRESS_CLASS} and {@code SUPPRESS_DECLARING_CLASS} are enabled by default.

++ * + * + *

3. Dynamic Beans (DynaBeans)

+ * +-- +2.49.0 + diff --git a/SPECS/apache-commons-beanutils.spec b/apache-commons-beanutils.spec similarity index 73% rename from SPECS/apache-commons-beanutils.spec rename to apache-commons-beanutils.spec index 886ad71..3247bb5 100644 --- a/SPECS/apache-commons-beanutils.spec +++ b/apache-commons-beanutils.spec @@ -1,17 +1,26 @@ +%bcond_with bootstrap + Name: apache-commons-beanutils Version: 1.9.4 -Release: 2%{?dist} +Release: 21%{?dist} Summary: Java utility methods for accessing and modifying the properties of arbitrary JavaBeans -License: ASL 2.0 +License: Apache-2.0 URL: http://commons.apache.org/beanutils BuildArch: noarch +ExclusiveArch: %{java_arches} noarch + Source0: http://archive.apache.org/dist/commons/beanutils/source/commons-beanutils-%{version}-src.tar.gz +Patch0: 0001-Fix-CVE-2025-48734.patch + +%if %{with bootstrap} +BuildRequires: javapackages-bootstrap +%else BuildRequires: maven-local BuildRequires: mvn(commons-collections:commons-collections) -BuildRequires: mvn(commons-collections:commons-collections-testframework) BuildRequires: mvn(commons-logging:commons-logging) BuildRequires: mvn(org.apache.commons:commons-parent:pom:) +%endif %description The scope of this package is to create a package of Java utility methods @@ -27,6 +36,7 @@ Summary: Javadoc for %{name} %prep %setup -q -n commons-beanutils-%{version}-src +%patch 0 -p1 sed -i 's/\r//' *.txt %pom_remove_plugin :maven-assembly-plugin @@ -38,7 +48,7 @@ sed -i 's/\r//' *.txt %build # Some tests fail in Koji -%mvn_build -f +%mvn_build -f -- -Dcommons.packageId=beanutils %install %mvn_install @@ -51,15 +61,91 @@ sed -i 's/\r//' *.txt %doc LICENSE.txt NOTICE.txt %changelog +* Fri Jun 13 2025 Mikolaj Izdebski - 1.9.4-21 +- Fix improper access control vulnerability +- Resolves: CVE-2025-48734 + +* Tue Oct 29 2024 Troy Dawson - 1.9.4-20 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 + +* Thu Aug 01 2024 Troy Dawson - 1.9.4-19 +- Bump release for Aug 2024 java mass rebuild + +* Mon Jun 24 2024 Troy Dawson - 1.9.4-18 +- Bump release for June 2024 mass rebuild + +* Mon Jan 22 2024 Fedora Release Engineering - 1.9.4-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Jan 19 2024 Fedora Release Engineering - 1.9.4-16 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Mon Dec 04 2023 Mikolaj Izdebski - 1.9.4-15 +- Port to apache-commons-parent 65 + +* Fri Sep 01 2023 Mikolaj Izdebski - 1.9.4-14 +- Convert License tag to SPDX format + +* Wed Jul 19 2023 Fedora Release Engineering - 1.9.4-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Wed Jan 18 2023 Fedora Release Engineering - 1.9.4-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Wed Jul 20 2022 Fedora Release Engineering - 1.9.4-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Sat Feb 05 2022 Jiri Vanek - 1.9.4-10 +- Rebuilt for java-17-openjdk as system jdk + +* Wed Jan 19 2022 Fedora Release Engineering - 1.9.4-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Nov 02 2021 Mikolaj Izdebski - 1.9.4-8 +- Bump Java compiler source/target levels to 1.7 + +* Wed Jul 21 2021 Fedora Release Engineering - 1.9.4-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Mon May 17 2021 Mikolaj Izdebski - 1.9.4-6 +- Bootstrap build +- Non-bootstrap build + +* Tue Jan 26 2021 Fedora Release Engineering - 1.9.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Jul 27 2020 Fedora Release Engineering - 1.9.4-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Fri Jul 10 2020 Jiri Vanek - 1.9.4-3 +- Rebuilt for JDK-11, see https://fedoraproject.org/wiki/Changes/Java11 + +* Tue Jan 28 2020 Fedora Release Engineering - 1.9.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + * Tue Nov 05 2019 Mikolaj Izdebski - 1.9.4-2 - Mass rebuild for javapackages-tools 201902 +* Fri Oct 04 2019 Fabio Valentini - 1.9.4-1 +- Update to version 1.9.4. +- Re-enable test suite. + * Thu Aug 15 2019 Marian Koncek - 1.9.4-1 - Update to upstream version 1.9.4 +* Wed Jul 24 2019 Fedora Release Engineering - 1.9.3-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + * Fri May 24 2019 Mikolaj Izdebski - 1.9.3-5 - Mass rebuild for javapackages-tools 201901 +* Thu Jan 31 2019 Fedora Release Engineering - 1.9.3-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Jul 12 2018 Fedora Release Engineering - 1.9.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + * Wed Feb 07 2018 Fedora Release Engineering - 1.9.3-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild diff --git a/sources b/sources new file mode 100644 index 0000000..bbd675e --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (commons-beanutils-1.9.4-src.tar.gz) = 6f3d30d02b9a66cf20509bd868c6e2dadb44bb27da1e6b9af7275675e0f3826845a5d4005509dd1eb77a5b2937820c4770a3753daaab072785dcdab0caa69e73