Fix improper access control vulnerability

Resolves: CVE-2025-48734

.gitignore

@@ -7,4 +7,3 @@
 /commons-beanutils-1.9.2-src.tar.gz
 /commons-beanutils-1.9.3-src.tar.gz
 /commons-beanutils-1.9.4-src.tar.gz
-/commons-beanutils-1.11.0-src.tar.gz

0001-Fix-CVE-2025-48734.patch

@@ -0,0 +1,66 @@
+From 50e55ddeda5b26730a74f1a00871a8e0bf5a2131 Mon Sep 17 00:00:00 2001
+From: Gary Gregory <garydgregory@gmail.com>
+Date: Sun, 25 May 2025 09:07:32 -0400
+Subject: [PATCH] Fix CVE-2025-48734
+
+Backported from upstream commit 28ad955a1613ed5885870cc7da52093c1ce739dc
+---
+ .../apache/commons/beanutils/PropertyUtilsBean.java   |  1 +
+ .../beanutils/SuppressPropertiesBeanIntrospector.java | 11 +++++++++++
+ .../org/apache/commons/beanutils/package-info.java    |  6 ++++++
+ 3 files changed, 18 insertions(+)
+
+diff --git a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
+index 36eb7f57..04d99576 100644
+--- a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
++++ b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
+@@ -189,6 +189,7 @@ public class PropertyUtilsBean {
+         introspectors.clear();
+         introspectors.add(DefaultBeanIntrospector.INSTANCE);
+         introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
++        introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS);
+     }
+ 
+     /**
+diff --git a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
+index bd6b2cdc..cff34969 100644
+--- a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
++++ b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
+@@ -48,6 +48,17 @@ public class SuppressPropertiesBeanIntrospector implements BeanIntrospector {
+     public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS =
+             new SuppressPropertiesBeanIntrospector(Collections.singleton("class"));
+ 
++    /**
++     * A specialized instance which is configured to suppress the special {@code class} properties of Java beans. Unintended access to the call for
++     * {@code declaringClass} (which is common to all Java {@code enum}) can be a security risk because it also allows access to the class loader. Adding this
++     * instance as {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no longer be
++     * accessed.
++     *
++     * @since 1.11.0
++     */
++    public static final SuppressPropertiesBeanIntrospector SUPPRESS_DECLARING_CLASS = new SuppressPropertiesBeanIntrospector(
++            Collections.singleton("declaringClass"));
++
+     /** A set with the names of the properties to be suppressed. */
+     private final Set<String> propertyNames;
+ 
+diff --git a/src/main/java/org/apache/commons/beanutils/package-info.java b/src/main/java/org/apache/commons/beanutils/package-info.java
+index 3cb9d34c..ac8d2a1f 100644
+--- a/src/main/java/org/apache/commons/beanutils/package-info.java
++++ b/src/main/java/org/apache/commons/beanutils/package-info.java
+@@ -444,6 +444,12 @@
+  * <code>SUPPRESS_CLASS</code> constant of
+  * <code>SuppressPropertiesBeanIntrospector</code>.</p>
+  *
++ * <p>Another problematic property is the {@code enum} "declaredClass" property,
++ * through which you can also access that class' class loader. The {@code SuppressPropertiesBeanIntrospector}
++ * provides {@code SUPPRESS_DECLARING_CLASS} to workaround this issue.</p>
++ *
++ * <p>Both {@code SUPPRESS_CLASS} and {@code SUPPRESS_DECLARING_CLASS} are enabled by default.</p>
++ *
+  * <a name="dynamic"></a>
+  * <h1>3. Dynamic Beans (DynaBeans)</h1>
+  *
+-- 
+2.49.0
+

apache-commons-beanutils.spec

@@ -1,7 +1,7 @@
 %bcond_with bootstrap
 
 Name:           apache-commons-beanutils
-Version:        1.11.0
+Version:        1.9.4
 Release:        %autorelease
 Summary:        Java utility methods for accessing and modifying the properties of arbitrary JavaBeans
 License:        Apache-2.0
@@ -11,16 +11,16 @@ ExclusiveArch:  %{java_arches} noarch
 
 Source0:        http://archive.apache.org/dist/commons/beanutils/source/commons-beanutils-%{version}-src.tar.gz
 
+Patch:          0001-Fix-CVE-2025-48734.patch
+
 %if %{with bootstrap}
 BuildRequires:  javapackages-bootstrap
 %else
-BuildRequires:  maven-local-openjdk25
+BuildRequires:  maven-local
 BuildRequires:  mvn(commons-collections:commons-collections)
 BuildRequires:  mvn(commons-logging:commons-logging)
 BuildRequires:  mvn(org.apache.commons:commons-parent:pom:)
 %endif
-# TODO Remove in Fedora 46
-Obsoletes:      %{name}-javadoc < 1.9.4-40
 
 %description
 The scope of this package is to create a package of Java utility methods
@@ -28,6 +28,12 @@ for accessing and modifying the properties of arbitrary JavaBeans.  No
 dependencies outside of the JDK are required, so the use of this package
 is very lightweight.
 
+%package javadoc
+Summary:        API documentation for %{name}
+
+%description javadoc
+API documentation for %{name}.
+
 %prep
 %autosetup -p1 -C
 sed -i 's/\r//' *.txt
@@ -41,7 +47,7 @@ sed -i 's/\r//' *.txt
 
 %build
 # Some tests fail in Koji
-%mvn_build -j -f -- -Dcommons.packageId=beanutils
+%mvn_build -f -- -Dcommons.packageId=beanutils
 
 %install
 %mvn_install
@@ -50,5 +56,8 @@ sed -i 's/\r//' *.txt
 %doc RELEASE-NOTES.txt
 %license LICENSE.txt NOTICE.txt
 
+%files javadoc -f .mfiles-javadoc
+%license LICENSE.txt NOTICE.txt
+
 %changelog
 %autochangelog

plans/javapackages.fmf

@@ -1,7 +1,7 @@
 summary: Run javapackages-specific tests
 discover:
   how: fmf
-  url: https://gitlab.com/redhat/centos-stream/tests/javapackages.git
+  url: https://src.fedoraproject.org/tests/javapackages
-  ref: f43
+  ref: f42
 execute:
   how: tmt

sources

@@ -1 +1 @@
-SHA512 (commons-beanutils-1.11.0-src.tar.gz) = edd930e7f8118d0cceb8647666fe1d5f873f939f858f433cd19985a75c4575455f2a2d339e4bcbf08b3f586c785a60429d4bb33ff6239da8f2c6183c8c318f18
+SHA512 (commons-beanutils-1.9.4-src.tar.gz) = 6f3d30d02b9a66cf20509bd868c6e2dadb44bb27da1e6b9af7275675e0f3826845a5d4005509dd1eb77a5b2937820c4770a3753daaab072785dcdab0caa69e73