Oracle has released a fix for security alert CVE-2010-4476 — the “Java Hangs on 2.2250738585072012e-308 bug.” The fix comes in the form of something called the FPUpdater Tool, which updates rt.jar. I tested it on my Windows XP system and it works.
Running FPUpdater
I downloaded and extracted fpupdater.jar and then ran this command:
"C:\Program Files\Java\jre6\bin\java" -jar fpupdater.jar -u -v
This was the output (formatted for display):
FPUpdater java.home: C:\Program Files\Java\jre6 java.vendor: Sun Microsystems Inc. java.version: 1.6.0_23 os.name: Windows XP Checking for update for major: 1.6.0 minor: 23 Retrieved update jar file from tool: C:\Program Files\Java\jre6\ tmpUpdate2208012852213660487\tmpUpdate5228545869487358026.jar Updating files. Please note this can take several minutes to run. Allow FPUpdater tool to complete. Jar file C:\Program Files\Java\jre6\lib\rt.jar.fpupdater succesfully verified. Done backup of rt.jar to C:\Program Files\Java\jre6\lib\ rt.jar.fpupdater Extracting C:\Program Files\Java\jre6\lib\rt.jar to working copy C:\Program Files\Java\jre6\lib\tmpUpdate7145466411537220462\ copyofRt.jar Recreating rt.jar Rebuilt. Jar file C:\Program Files\Java\jre6\lib\ tmpUpdate7145466411537220462\copyofRt.jar succesfully verified. Moving working copy of rt.jar back to live rt.jar. Update applied successfully to java.home path : C:\Program Files\Java\jre6
I have two instances of the JRE,
so I had to run the tool a second time, as per these instructions:
“If you run more than one instance of the JRE, for example if you have an instance of the JRE inside a JDK bundle and another standalone JRE, you need to run the tool against each instance to update them.”
I used this command:
"C:\Program Files\Java\jdk1.6.0_23\jre\bin\java" -jar fpupdater.jar -u -v
(The output was similar.)
After executing FPUpdater twice, both the runtime and compile time hangs were fixed.
No Source Code Available Yet
The source code for the fix is not available yet, but I’m told it will be soon. The fix updates FloatingDecimal.java, but I don’t know if it is the suggested fix. I’ll keep you posted.
a quick decompile with jad shows that it indeed applies the suggested fix:
$ diff new/FloatingDecimal.java old/FloatingDecimal.java
1047c1047
-1022 && –k3 if(bigIntNBits == 1 && bigIntExp > -1023 && –k3 < 0)
a quick decompile with jad shows that it indeed applies the suggested fix:
$ diff new/FloatingDecimal.java old/FloatingDecimal.java
1047c1047
l if(bigIntNBits == 1 && bigIntExp > -1022 && –k3 -1023 && –k3 < 0)
sorry the previous comment is messed up because of matching angle-brackets …
@javanon,
Thanks for checking this out!
Fyi, the source code has been pushed to OpenJDK’s hg repo: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/82c8c54ac1d5
@Chris,
Thanks — that also confirms they used the suggested fix:
Also, I was pointed to this link: OpenJDK JDK6 changeset. It’s similar to your link, but it includes a different version of the simple testcase they added. I ran the testcase on the patched version of Oracle’s JRE — and it fails; this was the output:
I’m not sure if this means the testcase is wrong, the fix is wrong, or I did something wrong. I’ll investigate.
|Update: None of the above — Java’s conversions are wrong! And this has nothing to do with the fix. (I guess I have something else to write about now.)
|Update: I submitted a bug report: see Java bug report 7019078 and my article about it.
Is this bug applicable to earlier jdk versions 1.4.x and 1.5.x ?
Does “FpUpdater” patch relates to this versions?
Yes, the FPUpdater seems to work with 1.4.x, 1.5.x and 1.6.x.
The following information is from the Oracle readme:
The FPUpdater tool is recommended for the Oracle JRE releases shown in the following table:
J2SE 1.4.2 Required for updates prior to, and including, 1.4.2_29
J2SE 5.0 Required for updates prior to, and including, 5.0u27
J2SE for Embedded 5.0 Required for updates prior to, and including, 5.0u27
Java SE 6 Required for updates prior to, and including, 6u23
Java SE for Embedded 6 Required for updates prior to, and including, 6u23
Java Real-Time System 2 Required for updates prior to, and including, 2.2u1
JRockit R27 Required for updates prior to, and including, R27.6.8
JRockit R28 Required for updates prior to, and including, R28.1.1
Best Regards,
Neale
This seems to affect OS X as well? Don’t suppose Apple have acknowledged it yet have they?
@chhum,
A reader of mine says it affects OS X.
I received the critical update from Oracle, but the Oracle FPUpdater tool only works for Oracle Java [vendor]. I have Java 1.4.2 from IBM and have been trying to find info/patch from them. Does anyone know of an IBM fix for this issue?
Thanks Bob
@bob: I filed a PMR and they at least acknowledged that there is a problem. They claim to have fixes available, but so far I only found a fix for WebSphere Application Server 6.1:
http://www-01.ibm.com/support/docview.wss?uid=swg24029090
I only asked about WAS 6.0, 6.1 and 7.0. I don’t know whether there is a separate fix for the JDK.
AFAICT, the fix works fine.
Fixes for WAS7.0 and WAS6.0 are now available as well:
http://www-01.ibm.com/support/docview.wss?uid=swg24029103
http://www-01.ibm.com/support/docview.wss?uid=swg24029102
Hi,
i am unable to find fpupdater.jar from oracle’s website.
Please tell me from where i can download this jar.
Thanks
@vikas,
The bug is over five years old, so it looks like they decided to redirect the link to the latest version of Java.
i am using jdk version 1.6_35. This issue is fixed in this verison ?
@vikas,
I don’t know but I’d assume so. You could try running the testcase to see if it hangs.