MAAS

  1. Bug #1379826
  2. Activity log

Activity log for bug #1379826

Date Who What changed Old value New value Message
2014-10-10 15:24:43 Gavin Panella bug added bug
2014-10-10 15:26:12 Gavin Panella summary uuid.uuid1() is not suitable as a "private" identifier/token uuid.uuid1() is not suitable as an unguessable identifier/token
2014-10-10 15:27:33 Gavin Panella description uuid.uuid1() has been used for the FileStorage.key field. This field is used to create unguessable URLs that we can hand out from MAAS to refer back to that file. However, uuid1() is not random enough: def uuid1(node=None, clock_seq=None): """Generate a UUID from a host ID, sequence number, and the current time. If 'node' is not given, getnode() is used to obtain the hardware address. If 'clock_seq' is given, it is used as the sequence number; otherwise a random 14-bit sequence number is chosen.""" The host ID is, afaik, based on the machine's MAC address, so this is easily discoverable. The current time is assumed to be nanoseconds, but in practice appears to be microseconds; check time.time() output. An attacker, with the knowledge of the machine's MAC address, would need to search 58982400000000 UUIDs to discover every file created during a 1 hour timespan (3600e6 microseconds * 2^14). That's a lot of UUIDs, but I doubt it's even close to "secure". I think uuid.uuid4() would be a better choice here, as it is entirely made from random data. Or we could go direct and encode (e.g. base 16/32/64) 16 bytes straight from /dev/urandom. uuid.uuid1() has been used for the FileStorage.key field. This field is used to create unguessable URLs that we can hand out from MAAS to refer back to that file. However, uuid1() is not random enough:   def uuid1(node=None, clock_seq=None):       """Generate a UUID from a host ID, sequence number, and the       current time. If 'node' is not given, getnode() is used to obtain       the hardware address. If 'clock_seq' is given, it is used as the       sequence number; otherwise a random 14-bit sequence number is       chosen.""" The host ID is, afaik, based on the machine's MAC address, so this is easily discoverable. The current time is assumed to be nanoseconds, but in practice appears to be microseconds; check time.time() output. An attacker, with the knowledge of the machine's MAC address, would need to search 58982400000000 UUIDs to discover every file created during a 1 hour timespan (3600e6 microseconds * 2^14). That's a lot of UUIDs, but I doubt it's even close to "secure". I think uuid.uuid4() would be a better choice here, as it is entirely made from random data. Or we could go direct and encode (e.g. base 16/32/64) 16 bytes straight from /dev/urandom. This follows on from discussion in bug 1212205.
2014-10-12 23:26:16 Julian Edwards maas: status New Triaged
2014-10-12 23:26:18 Julian Edwards maas: importance Undecided Critical
2014-10-12 23:27:06 Julian Edwards maas: milestone next
2014-10-12 23:28:25 Julian Edwards nominated for series maas/1.5
2014-10-12 23:28:25 Julian Edwards bug task added maas/1.5
2014-10-12 23:28:25 Julian Edwards nominated for series maas/1.2
2014-10-12 23:28:25 Julian Edwards bug task added maas/1.2
2014-10-12 23:28:25 Julian Edwards nominated for series maas/1.6
2014-10-12 23:28:25 Julian Edwards bug task added maas/1.6
2014-10-12 23:28:35 Julian Edwards maas/1.2: status New Triaged
2014-10-12 23:28:38 Julian Edwards maas/1.5: status New Triaged
2014-10-12 23:28:41 Julian Edwards maas/1.6: status New Triaged
2014-10-12 23:28:43 Julian Edwards maas/1.2: importance Undecided Critical
2014-10-12 23:28:44 Julian Edwards maas/1.5: importance Undecided Critical
2014-10-12 23:28:46 Julian Edwards maas/1.6: importance Undecided Critical
2014-10-30 20:26:31 Christian Reis maas: milestone next 1.7.2
2015-01-28 18:11:12 Christian Reis maas: status Triaged In Progress
2015-01-28 18:11:17 Christian Reis maas/1.6: status Triaged Won't Fix
2015-01-30 15:34:51 Christian Reis bug added subscriber Ubuntu Security Team
2015-01-30 15:53:55 Marc Deslauriers cve linked 2014-1428
2015-02-27 13:00:23 Raphaël Badin nominated for series maas/1.7
2015-02-27 13:00:23 Raphaël Badin bug task added maas/1.7
2015-02-27 13:00:23 Raphaël Badin nominated for series maas/trunk
2015-02-27 13:00:23 Raphaël Badin bug task added maas/trunk
2015-02-27 13:00:31 Raphaël Badin maas/1.7: milestone 1.7.2
2015-02-27 13:00:39 Raphaël Badin maas/trunk: milestone 1.7.2
2015-03-03 16:27:34 Andres Rodriguez maas/1.7: milestone 1.7.2 1.7.3
2015-10-21 04:10:52 Tyler Hicks bug added subscriber Adam Conrad
2016-04-13 15:46:00 Blake Rouse maas/1.7: status New Won't Fix
2016-04-13 15:46:03 Blake Rouse maas/1.5: status Triaged Won't Fix
2016-04-13 15:46:05 Blake Rouse maas/1.2: status Triaged Won't Fix
2016-04-13 15:46:09 Blake Rouse nominated for series maas/1.9
2016-04-13 15:46:09 Blake Rouse bug task added maas/1.9
2016-04-13 15:46:15 Blake Rouse maas/1.9: status New In Progress
2016-04-13 15:46:17 Blake Rouse maas/1.9: importance Undecided Critical
2016-04-13 15:46:19 Blake Rouse maas/1.9: assignee Blake Rouse (blake-rouse)
2016-04-13 15:46:20 Blake Rouse maas/trunk: assignee Blake Rouse (blake-rouse)
2016-04-13 15:46:21 Blake Rouse maas/1.9: milestone 1.9.2
2016-04-13 15:46:23 Blake Rouse maas/trunk: milestone 2.0.0
2016-04-13 15:46:24 Blake Rouse maas/1.7: milestone 1.7.3
2016-04-13 16:58:23 Blake Rouse maas/trunk: status In Progress Fix Committed
2016-04-13 19:41:06 Launchpad Janitor branch linked lp:~maas-maintainers/maas/rand-uuid-bug-1379826-1.9
2016-04-13 20:54:17 MAAS Lander maas/1.9: status In Progress Fix Committed
2016-04-28 18:46:20 Andres Rodriguez maas/1.9: status Fix Committed Fix Released
2016-08-18 11:19:20 Andres Rodriguez maas: status Fix Committed Fix Released
2017-04-11 20:17:31 Jamon Camisso removed subscriber Gavin Panella
2019-03-21 03:17:24 Seth Arnold information type Private Security Public Security
2019-03-21 03:17:26 Seth Arnold bug added subscriber Ubuntu Bugs