Segmentation fault after upgrade to 3.3.x

Bug #1287118 reported by Michal Čihař
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
lxml
Fix Released
Critical
scoder

Bug Description

After upgrade to 3.3.x (I've reproduced this bug with 3.3.1 and 3.3.2), I get segmentation fault when running testsuite of Django applicition using tastypie API.

It seems to lead to deallocation of lxml objects as the backtrace ends with:

#0 subtype_dealloc (self=0x3210b00) at Objects/typeobject.c:915
#1 0x00007ffff1d9e347 in __pyx_tp_dealloc_4lxml_5etree__ElementTree (o=0x3210ea8) at src/lxml/lxml.etree.c:175081

It happens with both libxml 2.7.8 and 2.9.1.

I was able to reduce the test to parsing simple XML file using defusedxml, which is attached.

This might be security issue as well, though I'm not 100% sure.

Revision history for this message
Michal Čihař (nijel) wrote :

Actually defusedxml is not important, I've reduced the testcase to use lxml only, attached.

Michal Čihař (nijel)
description: updated
Revision history for this message
Michal Čihař (nijel) wrote :
Revision history for this message
scoder (scoder) wrote :

Thanks for cutting this down to a simple test case. I had heard about crashes before but they usually involved some huge and unwildy setup.

I can easily reproduce it and have found a fix already.

Changed in lxml:
assignee: nobody → scoder (scoder)
importance: Undecided → Critical
milestone: none → 3.3
status: New → Confirmed
Revision history for this message
scoder (scoder) wrote :
Changed in lxml:
status: Confirmed → Fix Committed
Revision history for this message
scoder (scoder) wrote :

Removing "security" flag from this bug as it depends more on code than on input date, so it's hard to trigger from the outside. And knowing about it helps as it may keep impacted users from upgrading carelessly.

information type: Private Security → Public
Revision history for this message
Michal Čihař (nijel) wrote :

Thanks for fast fixing, I confirm it now works correctly.

Revision history for this message
scoder (scoder) wrote :

Fixed in lxml 3.3.3.

Changed in lxml:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Bug attachments