[New-bugs-announce] [issue15206] uuid module falls back to unsuitable RNG
Christian Heimes
report at bugs.python.org
Wed Jun 27 16:01:39 CEST 2012
New submission from Christian Heimes <lists at cheimes.de>:
The uuid module uses Mersenne Twister from the random module as last fallback. However a MT isn't suitable for cryptographic purposes. The module should first try to use os.urandom() and then perhaps use its own instance of random.Random, similar to uuid_generate_* [1]
The problem doesn't apply to most modern platforms as the uuid module uses either libuuid or the Windows API with ctypes. Therefore I consider the real world severity as low. It may not require a backport to Python 2.x.
[1] http://linux.die.net/man/3/uuid_generate
----------
components: Library (Lib)
messages: 164157
nosy: christian.heimes
priority: normal
severity: normal
status: open
title: uuid module falls back to unsuitable RNG
type: security
versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue15206>
_______________________________________
More information about the New-bugs-announce
mailing list