[New-bugs-announce] [issue22807] uuid.uuid1() should use uuid_generate_time_safe() if available

Barry A. Warsaw report at bugs.python.org
Thu Nov 6 21:07:26 CET 2014


New submission from Barry A. Warsaw:

I'm classifying this as a security issue, since using uuid_generate_time() -- i.e. the not _safe() variety -- does return collisions in real world cases that we've seen, and those could have security implications. However, I don't know that this can be exploited in any real world cases, so I'm not making it private or sending to security at .

The basic problem is that uuid.uuid1() uses uuid_generate_time(3), but if the synchronization methods used in that C function's manpage are not used, then two concurrent processes can -- and do in our cases -- return the same UUID.

I would propose that if uuid_generate_time_safe() is available, this should be used instead, and the return value should be checked to see if a safe method was used.  If not, then uuid1() should fall back to the pure-Python approach.

----------
components: Library (Lib)
keywords: security_issue
messages: 230759
nosy: barry
priority: normal
severity: normal
status: open
title: uuid.uuid1() should use uuid_generate_time_safe() if available
versions: Python 2.7, Python 3.4, Python 3.5

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue22807>
_______________________________________


More information about the New-bugs-announce mailing list