[New-bugs-announce] [issue15206] uuid module falls back to unsuitable RNG

Christian Heimes report at bugs.python.org
Wed Jun 27 16:01:39 CEST 2012

New submission from Christian Heimes <lists at cheimes.de>:

The uuid module uses Mersenne Twister from the random module as last fallback. However a MT isn't suitable for cryptographic purposes. The module should first try to use os.urandom() and then perhaps use its own instance of random.Random, similar to uuid_generate_* [1]

The problem doesn't apply to most modern platforms as the uuid module uses either libuuid or the Windows API with ctypes. Therefore I consider the real world severity as low. It may not require a backport to Python 2.x.

[1] http://linux.die.net/man/3/uuid_generate

components: Library (Lib)
messages: 164157
nosy: christian.heimes
priority: normal
severity: normal
status: open
title: uuid module falls back to unsuitable RNG
type: security
versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list