[New-bugs-announce] [issue22807] uuid.uuid1() should use uuid_generate_time_safe() if available
Barry A. Warsaw
report at bugs.python.org
Thu Nov 6 21:07:26 CET 2014
New submission from Barry A. Warsaw:
I'm classifying this as a security issue, since using uuid_generate_time() -- i.e. the not _safe() variety -- does return collisions in real world cases that we've seen, and those could have security implications. However, I don't know that this can be exploited in any real world cases, so I'm not making it private or sending to security at .
The basic problem is that uuid.uuid1() uses uuid_generate_time(3), but if the synchronization methods used in that C function's manpage are not used, then two concurrent processes can -- and do in our cases -- return the same UUID.
I would propose that if uuid_generate_time_safe() is available, this should be used instead, and the return value should be checked to see if a safe method was used. If not, then uuid1() should fall back to the pure-Python approach.
----------
components: Library (Lib)
keywords: security_issue
messages: 230759
nosy: barry
priority: normal
severity: normal
status: open
title: uuid.uuid1() should use uuid_generate_time_safe() if available
versions: Python 2.7, Python 3.4, Python 3.5
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue22807>
_______________________________________
More information about the New-bugs-announce
mailing list