5 changed files with 112 additions and 17 deletions
--- a/.apache-commons-beanutils.metadata
+++ b/.apache-commons-beanutils.metadata
@ -1 +1 @@
-be947cc3eb478da23abe564d27c527f30bf526b8 SOURCES/commons-beanutils-1.9.4-src.tar.gz
+d9f237583ab7b8b4a4bdf55694e915b5af9e165a SOURCES/commons-beanutils-1.9.3-src.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/commons-beanutils-1.9.4-src.tar.gz
+SOURCES/commons-beanutils-1.9.3-src.tar.gz
--- a/SOURCES/0001-Fix-CVE-2019-10086.patch
+++ b/SOURCES/0001-Fix-CVE-2019-10086.patch
@ -0,0 +1,25 @@
+From a5be4419e2753593ddac1f7948f0731a2ce0a843 Mon Sep 17 00:00:00 2001
+From: Rob Tompkins <chtompki@gmail.com>
+Date: Wed, 5 Jun 2019 20:38:37 -0400
+Subject: [PATCH 1/2] Fix CVE-2019-10086
+
+Backported from upstream commit 62e82ad92cf4818709d6044aaf257b73d42659a4
+---
+ .../java/org/apache/commons/beanutils/PropertyUtilsBean.java     | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
+index 5e76d97b..36eb7f57 100644
+--- a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
+++ b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
+@@ -188,6 +188,7 @@ public class PropertyUtilsBean {
+     public final void resetBeanIntrospectors() {
+         introspectors.clear();
+         introspectors.add(DefaultBeanIntrospector.INSTANCE);
+        introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+     }
+ 
+     /**
+-- 
+2.49.0
+
--- a/SOURCES/0002-Fix-CVE-2025-48734.patch
+++ b/SOURCES/0002-Fix-CVE-2025-48734.patch
@ -0,0 +1,66 @@
+From 863e08bed2a0ce1a6df37c4fd28482cfbc614a99 Mon Sep 17 00:00:00 2001
+From: Gary Gregory <garydgregory@gmail.com>
+Date: Sun, 25 May 2025 09:07:32 -0400
+Subject: [PATCH 2/2] Fix CVE-2025-48734
+
+Backported from upstream commit 28ad955a1613ed5885870cc7da52093c1ce739dc
+---
+ .../apache/commons/beanutils/PropertyUtilsBean.java   |  1 +
+ .../beanutils/SuppressPropertiesBeanIntrospector.java | 11 +++++++++++
+ .../org/apache/commons/beanutils/package-info.java    |  6 ++++++
+ 3 files changed, 18 insertions(+)
+
+diff --git a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
+index 36eb7f57..04d99576 100644
+--- a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
+++ b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
+@@ -189,6 +189,7 @@ public class PropertyUtilsBean {
+         introspectors.clear();
+         introspectors.add(DefaultBeanIntrospector.INSTANCE);
+         introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+        introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS);
+     }
+ 
+     /**
+diff --git a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
+index bd6b2cdc..cff34969 100644
+--- a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
+++ b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
+@@ -48,6 +48,17 @@ public class SuppressPropertiesBeanIntrospector implements BeanIntrospector {
+     public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS =
+             new SuppressPropertiesBeanIntrospector(Collections.singleton("class"));
+ 
+    /**
+     * A specialized instance which is configured to suppress the special {@code class} properties of Java beans. Unintended access to the call for
+     * {@code declaringClass} (which is common to all Java {@code enum}) can be a security risk because it also allows access to the class loader. Adding this
+     * instance as {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no longer be
+     * accessed.
+     *
+     * @since 1.11.0
+     */
+    public static final SuppressPropertiesBeanIntrospector SUPPRESS_DECLARING_CLASS = new SuppressPropertiesBeanIntrospector(
+            Collections.singleton("declaringClass"));
+
+     /** A set with the names of the properties to be suppressed. */
+     private final Set<String> propertyNames;
+ 
+diff --git a/src/main/java/org/apache/commons/beanutils/package-info.java b/src/main/java/org/apache/commons/beanutils/package-info.java
+index 3cb9d34c..ac8d2a1f 100644
+--- a/src/main/java/org/apache/commons/beanutils/package-info.java
+++ b/src/main/java/org/apache/commons/beanutils/package-info.java
+@@ -444,6 +444,12 @@
+  * <code>SUPPRESS_CLASS</code> constant of
+  * <code>SuppressPropertiesBeanIntrospector</code>.</p>
+  *
+ * <p>Another problematic property is the {@code enum} "declaredClass" property,
+ * through which you can also access that class' class loader. The {@code SuppressPropertiesBeanIntrospector}
+ * provides {@code SUPPRESS_DECLARING_CLASS} to workaround this issue.</p>
+ *
+ * <p>Both {@code SUPPRESS_CLASS} and {@code SUPPRESS_DECLARING_CLASS} are enabled by default.</p>
+ *
+  * <a name="dynamic"></a>
+  * <h1>3. Dynamic Beans (DynaBeans)</h1>
+  *
+-- 
+2.49.0
+
--- a/SPECS/apache-commons-beanutils.spec
+++ b/SPECS/apache-commons-beanutils.spec
@ -1,11 +1,18 @@
-Name:           apache-commons-beanutils
-Version:        1.9.4
-Release:        2%{?dist}
+%global base_name       beanutils
+%global short_name      commons-%{base_name}
+
+Name:           apache-%{short_name}
+Version:        1.9.3
+Release:        5%{?dist}
 Summary:        Java utility methods for accessing and modifying the properties of arbitrary JavaBeans
 License:        ASL 2.0
-URL:            http://commons.apache.org/beanutils
+URL:            http://commons.apache.org/%{base_name}
 BuildArch:      noarch
-Source0:        http://archive.apache.org/dist/commons/beanutils/source/commons-beanutils-%{version}-src.tar.gz
+
+Source0:        http://archive.apache.org/dist/commons/%{base_name}/source/%{short_name}-%{version}-src.tar.gz
+
+Patch0:         0001-Fix-CVE-2019-10086.patch
+Patch1:         0002-Fix-CVE-2025-48734.patch

 BuildRequires:  maven-local
 BuildRequires:  mvn(commons-collections:commons-collections)
@ -26,7 +33,9 @@ Summary:        Javadoc for %{name}
 %{summary}.

 %prep
-%setup -q -n commons-beanutils-%{version}-src
+%setup -q -n %{short_name}-%{version}-src
+%patch -P0 -p1
+%patch -P1 -p1
 sed -i 's/\r//' *.txt

 %pom_remove_plugin :maven-assembly-plugin
@ -34,7 +43,7 @@ sed -i 's/\r//' *.txt
 %mvn_alias :{*} :@1-core :@1-bean-collections
 %mvn_alias :{*} org.apache.commons:@1 org.apache.commons:@1-core org.apache.commons:@1-bean-collections
 %mvn_file : %{name} %{name}-core %{name}-bean-collections
-%mvn_file : commons-beanutils commons-beanutils-core commons-beanutils-bean-collections
+%mvn_file : %{short_name} %{short_name}-core %{short_name}-bean-collections

 %build
 # Some tests fail in Koji
@ -51,14 +60,9 @@ sed -i 's/\r//' *.txt
 %doc LICENSE.txt NOTICE.txt

 %changelog
-* Tue Nov 05 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.9.4-2
- Mass rebuild for javapackages-tools 201902
-
-* Thu Aug 15 2019 Marian Koncek <mkoncek@redhat.com> - 1.9.4-1
- Update to upstream version 1.9.4
-
-* Fri May 24 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.9.3-5
- Mass rebuild for javapackages-tools 201901
+* Mon Jun 16 2025 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.9.3-5
+- Fix improper access control vulnerabilities
+- Resolves: CVE-2019-10086, CVE-2025-48734

 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.3-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild