[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1109611: marked as done (bookworm-pu: package commons-beanutils/1.9.4-1+deb12u1)

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1109611,
regarding bookworm-pu: package commons-beanutils/1.9.4-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1109611: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109611
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
X-Debbugs-Cc: commons-beanutils@packages.debian.org, security@debian.org
Control: affects -1 + src:commons-beanutils
User: release.debian.org@packages.debian.org
Usertags: pu

  * CVE-2025-48734: Improper access control (Closes: #1106746)

Tagged moreinfo, as question to the security team whether they want
this in pu or as DSA.

diffstat for commons-beanutils-1.9.4 commons-beanutils-1.9.4

 changelog                                                               |    7 
 patches/0001-Add-org.apache.commons.beanutils.SuppressPropertiesB.patch |   99 ++++++++++
 patches/series                                                          |    1 
 3 files changed, 107 insertions(+)

diff -Nru commons-beanutils-1.9.4/debian/changelog commons-beanutils-1.9.4/debian/changelog
--- commons-beanutils-1.9.4/debian/changelog	2019-08-17 03:51:58.000000000 +0300
+++ commons-beanutils-1.9.4/debian/changelog	2025-07-17 16:14:22.000000000 +0300
@@ -1,3 +1,10 @@
+commons-beanutils (1.9.4-1+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2025-48734: Improper access control (Closes: #1106746)
+
+ -- Adrian Bunk <bunk@debian.org>  Thu, 17 Jul 2025 16:14:22 +0300
+
 commons-beanutils (1.9.4-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru commons-beanutils-1.9.4/debian/patches/0001-Add-org.apache.commons.beanutils.SuppressPropertiesB.patch commons-beanutils-1.9.4/debian/patches/0001-Add-org.apache.commons.beanutils.SuppressPropertiesB.patch
--- commons-beanutils-1.9.4/debian/patches/0001-Add-org.apache.commons.beanutils.SuppressPropertiesB.patch	1970-01-01 02:00:00.000000000 +0200
+++ commons-beanutils-1.9.4/debian/patches/0001-Add-org.apache.commons.beanutils.SuppressPropertiesB.patch	2025-07-17 16:14:13.000000000 +0300
@@ -0,0 +1,99 @@
+From 74813c8599360cfecfb7310600f6ed8e513f1218 Mon Sep 17 00:00:00 2001
+From: Gary Gregory <garydgregory@gmail.com>
+Date: Sun, 25 May 2025 09:07:32 -0400
+Subject: Add
+ org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS
+
+---
+ .../commons/beanutils/PropertyUtilsBean.java  |  1 +
+ .../SuppressPropertiesBeanIntrospector.java   | 22 ++++++++++++-------
+ .../commons/beanutils/package-info.java       | 18 ++++++++++-----
+ 3 files changed, 27 insertions(+), 14 deletions(-)
+
+diff --git a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
+index 36eb7f57..04d99576 100644
+--- a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
++++ b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
+@@ -189,6 +189,7 @@ public class PropertyUtilsBean {
+         introspectors.clear();
+         introspectors.add(DefaultBeanIntrospector.INSTANCE);
+         introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
++        introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS);
+     }
+ 
+     /**
+diff --git a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
+index bd6b2cdc..9331884c 100644
+--- a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
++++ b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
+@@ -37,16 +37,22 @@ import java.util.Set;
+  * @since 1.9.2
+  */
+ public class SuppressPropertiesBeanIntrospector implements BeanIntrospector {
++
++    /**
++     * A specialized instance which is configured to suppress the special {@code class} properties of Java beans. Unintended access to the property
++     * {@code class} (which is common to all Java objects) can be a security risk because it also allows access to the class loader. Adding this instance as
++     * {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no longer be accessed.
++     */
++    public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS = new SuppressPropertiesBeanIntrospector(Collections.singleton("class"));
++
+     /**
+-     * A specialized instance which is configured to suppress the special {@code class}
+-     * properties of Java beans. Unintended access to the property {@code class} (which is
+-     * common to all Java objects) can be a security risk because it also allows access to
+-     * the class loader. Adding this instance as {@code BeanIntrospector} to an instance
+-     * of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no
+-     * longer be accessed.
++     * A specialized instance which is configured to suppress the special {@code class} properties of Java beans. Unintended access to the call for
++     * {@code declaringClass} (which is common to all Java {@code enum}) can be a security risk because it also allows access to the class loader. Adding this
++     * instance as {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no longer be
++     * accessed.
+      */
+-    public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS =
+-            new SuppressPropertiesBeanIntrospector(Collections.singleton("class"));
++    public static final SuppressPropertiesBeanIntrospector SUPPRESS_DECLARING_CLASS = new SuppressPropertiesBeanIntrospector(
++            Collections.singleton("declaringClass"));
+ 
+     /** A set with the names of the properties to be suppressed. */
+     private final Set<String> propertyNames;
+diff --git a/src/main/java/org/apache/commons/beanutils/package-info.java b/src/main/java/org/apache/commons/beanutils/package-info.java
+index 3cb9d34c..287573af 100644
+--- a/src/main/java/org/apache/commons/beanutils/package-info.java
++++ b/src/main/java/org/apache/commons/beanutils/package-info.java
+@@ -429,20 +429,26 @@
+  * then be removed if they have been detected by other <code>BeanIntrospector</code>
+  * instances during processing of a bean class.</p>
+  *
+- * <p>A good use case for suppressing properties is the special <code>class</code>
++ * <p>A good use case for suppressing properties is the special {@code class}
+  * property which is per default available for all beans; it is generated from the
+- * <code>getClass()</code> method inherited from <code>Object</code> which follows the
++ * {@code getClass()} method inherited from {@code Object} which follows the
+  * naming conventions for property get methods. Exposing this property in an
+  * uncontrolled way can lead to a security vulnerability as it allows access to
+  * the class loader. More information can be found at
+  * <a href="https://issues.apache.org/jira/browse/BEANUTILS-463";>
+  * https://issues.apache.org/jira/browse/BEANUTILS-463</a>.</p>
+  *
+- * <p>Because the <code>class</code> property is undesired in many use cases
+- * there is already an instance of <code>SuppressPropertiesBeanIntrospector</code>
++ * <p>Because the {@code class} property is undesired in many use cases
++ * there is already an instance of {@code SuppressPropertiesBeanIntrospector}
+  * which is configured to suppress this property. It can be obtained via the
+- * <code>SUPPRESS_CLASS</code> constant of
+- * <code>SuppressPropertiesBeanIntrospector</code>.</p>
++ * {@code SUPPRESS_CLASS} constant of
++ * {@code SuppressPropertiesBeanIntrospector}.</p>
++ *
++ * <p>Another problematic property is the {@code enum} "declaredClass" property,
++ * through which you can also access that class' class loader. The {@code SuppressPropertiesBeanIntrospector}
++ * provides {@code SUPPRESS_DECLARING_CLASS} to workaround this issue.</p>
++ *
++ * <p>Both {@code SUPPRESS_CLASS} and {@code SUPPRESS_DECLARING_CLASS} are enabled by default.</p>
+  *
+  * <a name="dynamic"></a>
+  * <h1>3. Dynamic Beans (DynaBeans)</h1>
+-- 
+2.30.2
+
diff -Nru commons-beanutils-1.9.4/debian/patches/series commons-beanutils-1.9.4/debian/patches/series
--- commons-beanutils-1.9.4/debian/patches/series	2019-08-17 03:25:36.000000000 +0300
+++ commons-beanutils-1.9.4/debian/patches/series	2025-07-17 16:14:22.000000000 +0300
@@ -1 +1,2 @@
 01-disable-beanmaptestcase.patch
+0001-Add-org.apache.commons.beanutils.SuppressPropertiesB.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---
Reply to: