From 5bff677573577ff143cf01d5b0b508de5063e9cf Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Tue, 1 Jul 2025 09:57:28 +0800 Subject: [PATCH] Fix CVE-2025-48734 (cherry picked from commit ce4b7716079c8cc6d6d6dc21f416614b6f9d3e90) --- CVE-2025-48734.patch | 98 +++++++++++++++++++++++++++++++++++ apache-commons-beanutils.spec | 9 ++-- 2 files changed, 104 insertions(+), 3 deletions(-) create mode 100644 CVE-2025-48734.patch diff --git a/CVE-2025-48734.patch b/CVE-2025-48734.patch new file mode 100644 index 0000000..7f160bf --- /dev/null +++ b/CVE-2025-48734.patch @@ -0,0 +1,98 @@ +From 28ad955a1613ed5885870cc7da52093c1ce739dc Mon Sep 17 00:00:00 2001 +From: Gary Gregory +Date: Sun, 25 May 2025 09:07:32 -0400 +Subject: [PATCH] Add + org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS + +--- + pom.xml | 11 +- + src/changes/changes.xml | 3 +- + .../commons/beanutils/PropertyUtilsBean.java | 1 + + .../SuppressPropertiesBeanIntrospector.java | 24 ++-- + .../commons/beanutils/package-info.java | 18 ++- + .../apache/commons/beanutils/TestEnum.java | 33 ++++++ + .../bugs/EnumDeclaringClassTest.java | 108 ++++++++++++++++++ + 7 files changed, 180 insertions(+), 18 deletions(-) + create mode 100644 src/test/java/org/apache/commons/beanutils/TestEnum.java + create mode 100644 src/test/java/org/apache/commons/beanutils/bugs/EnumDeclaringClassTest.java + +--- a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java ++++ b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java +@@ -189,6 +189,7 @@ public class PropertyUtilsBean { + introspectors.clear(); + introspectors.add(DefaultBeanIntrospector.INSTANCE); + introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS); ++ introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS); + } + + /** +--- a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java ++++ b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java +@@ -37,16 +37,24 @@ import java.util.Set; + * @since 1.9.2 + */ + public class SuppressPropertiesBeanIntrospector implements BeanIntrospector { ++ ++ /** ++ * A specialized instance which is configured to suppress the special {@code class} properties of Java beans. Unintended access to the property ++ * {@code class} (which is common to all Java objects) can be a security risk because it also allows access to the class loader. Adding this instance as ++ * {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no longer be accessed. ++ */ ++ public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS = new SuppressPropertiesBeanIntrospector(Collections.singleton("class")); ++ + /** +- * A specialized instance which is configured to suppress the special {@code class} +- * properties of Java beans. Unintended access to the property {@code class} (which is +- * common to all Java objects) can be a security risk because it also allows access to +- * the class loader. Adding this instance as {@code BeanIntrospector} to an instance +- * of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no +- * longer be accessed. ++ * A specialized instance which is configured to suppress the special {@code class} properties of Java beans. Unintended access to the call for ++ * {@code declaringClass} (which is common to all Java {@code enum}) can be a security risk because it also allows access to the class loader. Adding this ++ * instance as {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no longer be ++ * accessed. ++ * ++ * @since 1.11.0 + */ +- public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS = +- new SuppressPropertiesBeanIntrospector(Collections.singleton("class")); ++ public static final SuppressPropertiesBeanIntrospector SUPPRESS_DECLARING_CLASS = new SuppressPropertiesBeanIntrospector( ++ Collections.singleton("declaringClass")); + + /** A set with the names of the properties to be suppressed. */ + private final Set propertyNames; +--- a/src/main/java/org/apache/commons/beanutils/package-info.java ++++ b/src/main/java/org/apache/commons/beanutils/package-info.java +@@ -429,20 +429,26 @@ + * then be removed if they have been detected by other BeanIntrospector + * instances during processing of a bean class.

+ * +- *

A good use case for suppressing properties is the special class ++ *

A good use case for suppressing properties is the special {@code class} + * property which is per default available for all beans; it is generated from the +- * getClass() method inherited from Object which follows the ++ * {@code getClass()} method inherited from {@code Object} which follows the + * naming conventions for property get methods. Exposing this property in an + * uncontrolled way can lead to a security vulnerability as it allows access to + * the class loader. More information can be found at + * + * https://issues.apache.org/jira/browse/BEANUTILS-463.

+ * +- *

Because the class property is undesired in many use cases +- * there is already an instance of SuppressPropertiesBeanIntrospector ++ *

Because the {@code class} property is undesired in many use cases ++ * there is already an instance of {@code SuppressPropertiesBeanIntrospector} + * which is configured to suppress this property. It can be obtained via the +- * SUPPRESS_CLASS constant of +- * SuppressPropertiesBeanIntrospector.

++ * {@code SUPPRESS_CLASS} constant of ++ * {@code SuppressPropertiesBeanIntrospector}.

++ * ++ *

Another problematic property is the {@code enum} "declaredClass" property, ++ * through which you can also access that class' class loader. The {@code SuppressPropertiesBeanIntrospector} ++ * provides {@code SUPPRESS_DECLARING_CLASS} to workaround this issue.

++ * ++ *

Both {@code SUPPRESS_CLASS} and {@code SUPPRESS_DECLARING_CLASS} are enabled by default.

+ * + * + *

3. Dynamic Beans (DynaBeans)

diff --git a/apache-commons-beanutils.spec b/apache-commons-beanutils.spec index 0f6db7c..f10fe82 100644 --- a/apache-commons-beanutils.spec +++ b/apache-commons-beanutils.spec @@ -2,13 +2,14 @@ %global short_name commons-%{base_name} Name: apache-%{short_name} Version: 1.9.4 -Release: 3 +Release: 4 Summary: Java utility methods for accessing and modifying the properties of arbitrary JavaBeans License: ASL 2.0 BuildArch: noarch URL: http://commons.apache.org/%{base_name} Source0: http://archive.apache.org/dist/commons/%{base_name}/source/%{short_name}-%{version}-src.tar.gz Patch0: Remove-unstable-test-cases.patch +Patch1: CVE-2025-48734.patch BuildRequires: maven-local mvn(commons-collections:commons-collections) BuildRequires: mvn(commons-collections:commons-collections-testframework) BuildRequires: mvn(commons-logging:commons-logging) mvn(junit:junit) @@ -26,8 +27,7 @@ Summary: Javadoc for %{name} %{summary}. %prep -%setup -q -n %{short_name}-%{version}-src -%patch0 -p1 +%autosetup -n %{short_name}-%{version}-src -p1 sed -i 's/\r//' *.txt %pom_remove_plugin :maven-assembly-plugin %mvn_alias :{*} :@1-core :@1-bean-collections @@ -53,6 +53,9 @@ xmvn test --batch-mode --offline verify %doc LICENSE.txt NOTICE.txt %changelog +* Tue Jul 01 2025 yaoxin <1024769339@qq.com> - 1.9.4-4 +- Fix CVE-2025-48734 + * Wed Jul 6 2022 liyanan - 1.9.4-3 - Remove unstable test cases -- Gitee