Segmentation fault after upgrade to 3.3.x

Bug #1287118 reported by Michal Čihař on 2014-03-03
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
lxml
Critical
scoder

Bug Description

After upgrade to 3.3.x (I've reproduced this bug with 3.3.1 and 3.3.2), I get segmentation fault when running testsuite of Django applicition using tastypie API.

It seems to lead to deallocation of lxml objects as the backtrace ends with:

#0 subtype_dealloc (self=0x3210b00) at Objects/typeobject.c:915
#1 0x00007ffff1d9e347 in __pyx_tp_dealloc_4lxml_5etree__ElementTree (o=0x3210ea8) at src/lxml/lxml.etree.c:175081

It happens with both libxml 2.7.8 and 2.9.1.

I was able to reduce the test to parsing simple XML file using defusedxml, which is attached.

This might be security issue as well, though I'm not 100% sure.

Michal Čihař (nijel) wrote :

Actually defusedxml is not important, I've reduced the testcase to use lxml only, attached.

Michal Čihař (nijel) on 2014-03-03
description: updated
Michal Čihař (nijel) wrote :
scoder (scoder) wrote :

Thanks for cutting this down to a simple test case. I had heard about crashes before but they usually involved some huge and unwildy setup.

I can easily reproduce it and have found a fix already.

Changed in lxml:
assignee: nobody → scoder (scoder)
importance: Undecided → Critical
milestone: none → 3.3
status: New → Confirmed
scoder (scoder) wrote :
Changed in lxml:
status: Confirmed → Fix Committed
scoder (scoder) wrote :

Removing "security" flag from this bug as it depends more on code than on input date, so it's hard to trigger from the outside. And knowing about it helps as it may keep impacted users from upgrading carelessly.

information type: Private Security → Public
Michal Čihař (nijel) wrote :

Thanks for fast fixing, I confirm it now works correctly.

scoder (scoder) wrote :

Fixed in lxml 3.3.3.

Changed in lxml:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Bug attachments