Bug#1116951: bookworm-pu: package libcommons-lang3-java/3.12.0-2+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libcommons-lang3-java@packages.debian.org
Control: affects -1 + src:libcommons-lang3-java
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
[ Reason ]
This upload attempts to fix CVE-2025-48924, an uncontrolled recursion
vulnerability that can lead to a StackOverflowError, for users of Debian
Bookworm.
[ Impact ]
If the update is not approved, users might be affected by CVE-2025-48924.
[ Tests ]
The patch adds a new test to check if the fix is successful. I also did some
successful manual testing running the whole testuite.
[ Risks ]
There is the risk of regression. While backporting the patch for ELTS, an issue
had been discovered and the patches have been carefully checked. However, the
patch used in this version was not affected by the regression discovered, and
all tests ran successful.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The patch uses the official rewrite that avoids the recursion.
[ Other info ]
The issue has been fixed in LTS (uploaded) and ELTS (upload pending).
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmjci8sACgkQS80FZ8KW
0F3eYg/8C0rZ3+nKN0vz0rfd6kzdoHI8Cv9EU8I97QkNDeo6OCGbpyzaFcCO1X44
+J6ASi0lQGc4+UbVqFgSSXhYTSAQ+BtzqejWM+KpEcKUzlnrCGRZjkB0nMXUiS9N
4c/BESEf869T2+36/GHG//uQ9+h00e0sHh/caJhzdMHXO6fx8xMh1x/krO4gb01W
+eFCwVR+FUQ38PP1FcWRbci5zb3lje++WLiHZSesFHpsM9N0EQ9rYXhoVSybEAol
HnTom0Ocx0+4mGkIQ3beSNsq6CXUky6FRofwzX9igJTVeeynvIgHQM+z3+1A1leO
kltTgevNwHFNf8Z2s/H8njQ9oN/4HRl4BfcgVFKm+hYxX5MfBhYU5FNnjdd55dAZ
Nhj6bDP/g+V5o5bExay9DI0mrSUoOW5QEfvt6FBdKZNxPU1dbjJ86W1OJJ8hMgI8
7FqH9HKnwZqeuJm/4eHDnFLv+harEMI5BF+cDWwVefIKCZ4D2UufYyHLOcsEBX1C
5r5bYkjOQTKVwDWHVXtuQVh6SPmTn+Tzy7JMgdF8xgf0jFMh4QJzNjLaL5xUrOn8
Uiad63Mh2CbTUJQTWuGUDIsajSm7f6x8f8sOcW1bEW0lyToGJUvI8YpsN0pRY/r3
kNMR3LsIVDaWn9F1318qEr0VC7glSH1W5AgRmY+VnqKDFjtrXbk=
=dzi3
-----END PGP SIGNATURE-----
diff -Nru libcommons-lang3-java-3.12.0/debian/changelog libcommons-lang3-java-3.12.0/debian/changelog
--- libcommons-lang3-java-3.12.0/debian/changelog 2022-05-03 18:43:26.000000000 +0200
+++ libcommons-lang3-java-3.12.0/debian/changelog 2025-10-01 03:48:57.000000000 +0200
@@ -1,3 +1,11 @@
+libcommons-lang3-java (3.12.0-2+deb12u1) bookworm; urgency=medium
+
+ * Team upload.
+ * d/patches/CVE-2025-48924.patch: Add patch to fix CVE-2025-48924.
+ - Fix an uncontrolled recursion vulnerability (closes: 1109125).
+
+ -- Daniel Leidert <dleidert@debian.org> Wed, 01 Oct 2025 03:48:57 +0200
+
libcommons-lang3-java (3.12.0-2) unstable; urgency=medium
* Ignore the spotbugs and checkstyle plugins
diff -Nru libcommons-lang3-java-3.12.0/debian/gbp.conf libcommons-lang3-java-3.12.0/debian/gbp.conf
--- libcommons-lang3-java-3.12.0/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100
+++ libcommons-lang3-java-3.12.0/debian/gbp.conf 2025-10-01 03:48:57.000000000 +0200
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch = debian/bookworm
+pristine-tar = True
diff -Nru libcommons-lang3-java-3.12.0/debian/patches/CVE-2025-48924.patch libcommons-lang3-java-3.12.0/debian/patches/CVE-2025-48924.patch
--- libcommons-lang3-java-3.12.0/debian/patches/CVE-2025-48924.patch 1970-01-01 01:00:00.000000000 +0100
+++ libcommons-lang3-java-3.12.0/debian/patches/CVE-2025-48924.patch 2025-10-01 03:48:57.000000000 +0200
@@ -0,0 +1,145 @@
+From: Gary Gregory <garydgregory@gmail.com>
+Date: Sat, 21 Sep 2024 17:23:08 -0400
+Subject: [PATCH] Rewrite ClassUtils.getClass() without recursion to avoid
+ StackOverflowError on very long inputs.
+
+- This was found fuzz testing Apache Commons Text which relies on
+ClassUtils.
+- OssFuzz Issue 42522972:
+apache-commons-text:StringSubstitutorInterpolatorFuzzer: Security
+exception in org.apache.commons.lang3.ClassUtils.getClass
+
+Reviewed-By: Daniel Leidert <dleidert@debian.org>
+Origin: https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53
+Bug: https://github.com/advisories/GHSA-j288-q9x7-2f5v
+Bug-Debian: https://bugs.debian.org/1109125
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-48924
+Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2025-48924
+---
+ .../java/org/apache/commons/lang3/ClassUtils.java | 45 ++++++++++-----------
+ .../commons/lang3/ClassUtilsOssFuzzTest.java | Bin 0 -> 17081 bytes
+ 2 files changed, 21 insertions(+), 24 deletions(-)
+ create mode 100644 src/test/java/org/apache/commons/lang3/ClassUtilsOssFuzzTest.java
+
+diff --git a/src/main/java/org/apache/commons/lang3/ClassUtils.java b/src/main/java/org/apache/commons/lang3/ClassUtils.java
+index e6a0931..8461e82 100644
+--- a/src/main/java/org/apache/commons/lang3/ClassUtils.java
++++ b/src/main/java/org/apache/commons/lang3/ClassUtils.java
+@@ -1060,30 +1060,26 @@ public static boolean isInnerClass(final Class<?> cls) {
+ */
+ public static Class<?> getClass(
+ final ClassLoader classLoader, final String className, final boolean initialize) throws ClassNotFoundException {
+- try {
+- final Class<?> clazz;
+- if (namePrimitiveMap.containsKey(className)) {
+- clazz = namePrimitiveMap.get(className);
+- } else {
+- clazz = Class.forName(toCanonicalName(className), initialize, classLoader);
+- }
+- return clazz;
+- } catch (final ClassNotFoundException ex) {
+- // allow path separators (.) as inner class name separators
+- final int lastDotIndex = className.lastIndexOf(PACKAGE_SEPARATOR_CHAR);
+-
+- if (lastDotIndex != -1) {
+- try {
+- return getClass(classLoader, className.substring(0, lastDotIndex) +
+- INNER_CLASS_SEPARATOR_CHAR + className.substring(lastDotIndex + 1),
+- initialize);
+- } catch (final ClassNotFoundException ex2) { // NOPMD
+- // ignore exception
++ // This method was re-written to avoid recursion and stack overflows found by fuzz testing.
++ String next = className;
++ int lastDotIndex = -1;
++ do {
++ try {
++ Class<?> clazz;
++ if (namePrimitiveMap.containsKey(next)) {
++ clazz = namePrimitiveMap.get(next);
++ } else {
++ clazz = Class.forName(toCanonicalName(next), initialize, classLoader);
++ }
++ return clazz;
++ } catch (final ClassNotFoundException ex) {
++ lastDotIndex = next.lastIndexOf(PACKAGE_SEPARATOR_CHAR);
++ if (lastDotIndex != -1) {
++ next = next.substring(0, lastDotIndex) + INNER_CLASS_SEPARATOR_CHAR + next.substring(lastDotIndex + 1);
+ }
+ }
+-
+- throw ex;
+- }
++ } while (lastDotIndex != -1);
++ throw new ClassNotFoundException(next);
+ }
+
+ /**
+@@ -1198,9 +1194,10 @@ public static Method getPublicMethod(final Class<?> cls, final String methodName
+ private static String toCanonicalName(String className) {
+ className = StringUtils.deleteWhitespace(className);
+ Validate.notNull(className, "className");
+- if (className.endsWith("[]")) {
++ final String arrayMarker = "[]";
++ if (className.endsWith(arrayMarker)) {
+ final StringBuilder classNameBuffer = new StringBuilder();
+- while (className.endsWith("[]")) {
++ while (className.endsWith(arrayMarker)) {
+ className = className.substring(0, className.length() - 2);
+ classNameBuffer.append("[");
+ }
+diff --git a/src/test/java/org/apache/commons/lang3/ClassUtilsOssFuzzTest.java b/src/test/java/org/apache/commons/lang3/ClassUtilsOssFuzzTest.java
+new file mode 100644
+index 0000000..3c9d39e
+--- /dev/null
++++ b/src/test/java/org/apache/commons/lang3/ClassUtilsOssFuzzTest.java
+@@ -0,0 +1,50 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++package org.apache.commons.lang3;
++
++import static org.junit.jupiter.api.Assertions.assertThrows;
++
++import org.junit.jupiter.api.Test;
++
++/**
++ * Tests {@link ClassUtils}.
++ */
++public class ClassUtilsOssFuzzTest {
++
++ /**
++ * Tests that no StackOverflowError is thrown.
++ * <p>
++ * OSS-Fuzz Issue 42522972: apache-commons-text:StringSubstitutorInterpolatorFuzzer: Security exception in org.apache.commons.lang3.ClassUtils.getClass
++ * </p>
++ */
++ @Test
++ public void testGetClassLongIllegalName() throws Exception {
++ // Input from Commons Text clusterfuzz-testcase-StringSubstitutorInterpolatorFuzzer-5447769450741760
++ assertThrows(ClassNotFoundException.class, () -> ClassUtils.getClass(
++ "ˇda´~e]W]�������������������~����������t�$t�${.u�base64encoder{con+s�{.u�base64encoder{con+s����������~����������t���....................��������������������������������������������������������������������������������������................ˇˇˇˇˇˇˇˇˇˇ�&${localho�t:ˇˇˇˇˇˇ4ˇ�.........��...............�..........s${.!.�${.. �\\E],${conÅ��������EEE]W€EÅE.!�${.u�base64encoder{conÅ��������EEE]W€EÅE.!�${.u�base64encoder{con+s����������~����������t���....................................ˇˇˇˇˇˇˇˇˇˇ�&${localho�t:ˇˇˇˇˇˇ-636ˇ�.............................................................�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-....�..�����t]V]W€EÅE.!�$${.u�-�-�}"));
++ }
++
++ /**
++ * Tests that no StackOverflowError is thrown.
++ */
++ @Test
++ public void testGetClassLongName() throws Exception {
++ // Input from based on the above, without illegal characters.
++ assertThrows(ClassNotFoundException.class, () -> ClassUtils.getClass(StringUtils.repeat("a.", 5_000) + "b"));
++ }
++}
diff -Nru libcommons-lang3-java-3.12.0/debian/patches/series libcommons-lang3-java-3.12.0/debian/patches/series
--- libcommons-lang3-java-3.12.0/debian/patches/series 2022-05-03 13:27:07.000000000 +0200
+++ libcommons-lang3-java-3.12.0/debian/patches/series 2025-10-01 03:48:57.000000000 +0200
@@ -1,3 +1,4 @@
disable_testGetUserHome_test.diff
ignore-benchmarks.diff
easymock-compatibility.patch
+CVE-2025-48924.patch
Reply to: