rpms/apache-commons-beanutils
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix improper access control vulnerability

Browse Source 
Resolves: CVE-2025-48734
Resolves: RHEL-94055
This commit is contained in:
Mikolaj Izdebski 2025-06-13 12:17:19 +02:00
parent 81ced291d4
commit f008dca4c5
2 changed files with 75 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
0001-Fix-CVE-2025-48734.patch Normal file
View File

@ -0,0 +1,66 @@
From 50e55ddeda5b26730a74f1a00871a8e0bf5a2131 Mon Sep 17 00:00:00 2001
From: Gary Gregory <garydgregory@gmail.com>
Date: Sun, 25 May 2025 09:07:32 -0400
Subject: [PATCH] Fix CVE-2025-48734
Backported from upstream commit 28ad955a1613ed5885870cc7da52093c1ce739dc
---
.../apache/commons/beanutils/PropertyUtilsBean.java | 1 +
.../beanutils/SuppressPropertiesBeanIntrospector.java | 11 +++++++++++
.../org/apache/commons/beanutils/package-info.java | 6 ++++++
3 files changed, 18 insertions(+)
diff --git a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
index 36eb7f57..04d99576 100644
--- a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
+++ b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
@@ -189,6 +189,7 @@ public class PropertyUtilsBean {
introspectors.clear();
introspectors.add(DefaultBeanIntrospector.INSTANCE);
introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+ introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS);
}
/**
diff --git a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
index bd6b2cdc..cff34969 100644
--- a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
+++ b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
@@ -48,6 +48,17 @@ public class SuppressPropertiesBeanIntrospector implements BeanIntrospector {
public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS =
new SuppressPropertiesBeanIntrospector(Collections.singleton("class"));
+ /**
+ * A specialized instance which is configured to suppress the special {@code class} properties of Java beans. Unintended access to the call for
+ * {@code declaringClass} (which is common to all Java {@code enum}) can be a security risk because it also allows access to the class loader. Adding this
+ * instance as {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no longer be
+ * accessed.
+ *
+ * @since 1.11.0
+ */
+ public static final SuppressPropertiesBeanIntrospector SUPPRESS_DECLARING_CLASS = new SuppressPropertiesBeanIntrospector(
+ Collections.singleton("declaringClass"));
+
/** A set with the names of the properties to be suppressed. */
private final Set<String> propertyNames;
diff --git a/src/main/java/org/apache/commons/beanutils/package-info.java b/src/main/java/org/apache/commons/beanutils/package-info.java
index 3cb9d34c..ac8d2a1f 100644
--- a/src/main/java/org/apache/commons/beanutils/package-info.java
+++ b/src/main/java/org/apache/commons/beanutils/package-info.java
@@ -444,6 +444,12 @@
* <code>SUPPRESS_CLASS</code> constant of
* <code>SuppressPropertiesBeanIntrospector</code>.</p>
*
+ * <p>Another problematic property is the {@code enum} "declaredClass" property,
+ * through which you can also access that class' class loader. The {@code SuppressPropertiesBeanIntrospector}
+ * provides {@code SUPPRESS_DECLARING_CLASS} to workaround this issue.</p>
+ *
+ * <p>Both {@code SUPPRESS_CLASS} and {@code SUPPRESS_DECLARING_CLASS} are enabled by default.</p>
+ *
* <a name="dynamic"></a>
* <h1>3. Dynamic Beans (DynaBeans)</h1>
*
--
2.49.0

10
apache-commons-beanutils.spec
View File

@ -2,14 +2,17 @@
Name: apache-commons-beanutils Name: apache-commons-beanutils
Version: 1.9.4 Version: 1.9.4
Release: 20%{?dist} Release: 21%{?dist}
Summary: Java utility methods for accessing and modifying the properties of arbitrary JavaBeans Summary: Java utility methods for accessing and modifying the properties of arbitrary JavaBeans
License: Apache-2.0 License: Apache-2.0
URL: http://commons.apache.org/beanutils URL: http://commons.apache.org/beanutils
BuildArch: noarch BuildArch: noarch
ExclusiveArch: %{java_arches} noarch ExclusiveArch: %{java_arches} noarch
Source0: http://archive.apache.org/dist/commons/beanutils/source/commons-beanutils-%{version}-src.tar.gz Source0: http://archive.apache.org/dist/commons/beanutils/source/commons-beanutils-%{version}-src.tar.gz
Patch0: 0001-Fix-CVE-2025-48734.patch
%if %{with bootstrap} %if %{with bootstrap}
BuildRequires: javapackages-bootstrap BuildRequires: javapackages-bootstrap
%else %else
@ -33,6 +36,7 @@ Summary: Javadoc for %{name}
%prep %prep
%setup -q -n commons-beanutils-%{version}-src %setup -q -n commons-beanutils-%{version}-src
%patch 0 -p1
sed -i 's/\r//' *.txt sed -i 's/\r//' *.txt
%pom_remove_plugin :maven-assembly-plugin %pom_remove_plugin :maven-assembly-plugin
@ -57,6 +61,10 @@ sed -i 's/\r//' *.txt
%doc LICENSE.txt NOTICE.txt %doc LICENSE.txt NOTICE.txt
%changelog %changelog
* Fri Jun 13 2025 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.9.4-21
- Fix improper access control vulnerability
- Resolves: CVE-2025-48734
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.9.4-20 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.9.4-20
- Bump release for October 2024 mass rebuild: - Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018 Resolves: RHEL-64018