-
Notifications
You must be signed in to change notification settings - Fork 601
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NewV4: non-random uuid #73
Comments
humans are bad at telling randomness. While it is extraordinarily, astronomically unlikely that you would have so many uuids with that many zeros, it is still theoretically possible. |
In an IDs such as
I don't know the root cause of this. |
These UUIDs seem suspiciously non-random to me as well.
The only possibilities I can think of:
|
Okay, I can reproduce it! I instrumented ServerA with this code:
Which runs without crashing if ServerA idle or handling standard requests. If ServerA is calling ServerB (to resize images), the ServerA immediately crash with a bad uuid. |
Okay, I found the problem.
Turns out, on some occasions |
@josselin-c Could you make a patch and see if you can reproduce the error with your script and |
One more thing that is interesting to me is the fact that the UUIDs you posted are not of equal length. |
Use ReadFull to fetch random bytes from crypto/rand instead of calling Read directly as Read may read less bytes than asked. Fix satori#73
So it looks like this commit introduced the bug: 0ef6afb Prior to that commit, |
How is a critical bug like this still unresolved? Especially given that someone already did the work to fix it. |
The latest tagged version of the module contains the deficiency described in satori/go.uuid#73. Advancing to the commit where this issue was addressed. Conflicts: go.mod internal/app/siftool/modif.go pkg/sif/create_test.go
What's the fix here? :) |
Switch from unmaintained github.com/satori/go.uuid to github.com/gofrs/uuid |
Thanks! @rkuris |
Fix the satori/go.uuid reference to avoid the CVE. More information jackc/pgx#1052 satori/go.uuid#75 satori/go.uuid#73
Fixes OSV GO-2020-0018 satori/go.uuid#73
Fixes OSV GO-2020-0018 satori/go.uuid#73
…uxdata#6768) While there has been a workaround in place for some time, this change is being made to reduce confusion around if Telegraf is affected by satori/go.uuid#73
. Currently, NIST lists 1.2.0 as excluded in the vulnerability scope of this project, which is causing us some compliance problems at the moment as the package is being used in a managed service we use at AWS. See https://nvd.nist.gov/vuln/detail/CVE-2021-3538 I have limited experience (alright, none) with Go, so please correct me if I am wrong. It seems various services/scanners out there do not agree if 1.2.0 is vulnerable or not. If 1.2.0 is not vulnerable, there isn't any reason to panic at all, as the vulnerable code was then never released as a versioned dependency. Edit: Okay, I read all of the comment I quoted. Since the replaced Edit 2: I would like to stress that I am fully aware that this package is ancient and should not be used. However, I have run into compliance issues because it is still being used in code I don't control (AWS, thank you very much). I was/am trying to find out which way is up with this finding and how seriously to take it. |
Version 1.2.0 of this package is no longer listed as vulnerable. NIST have revised their publication. |
I'm running this on my macbook pro.
I'm using uuid.Must(uuid.NewV4()).String() to generate random identifiers. I'm generating theses identifiers at a very low rate of a few dozen per days
Here are some non-random UUID that I got in the last weeks:
I think I shouldn't have theses.
The text was updated successfully, but these errors were encountered: