segfault when using lxml>=5 on at least python:3.9.12-alpine and almalinux:8 with python 3.8 3.9 and 3.11
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxml |
Triaged
|
Undecided
|
Unassigned |
Bug Description
We are using OneLogin Saml2 in our project and this suddenly crashed in our pipeline.
After some debugging and checking our changes, I found out it wasn't a change at our codebase, but we did not fixate lxml in our requirements.
We are normally running python 3.9 via the official python:
```
RUN dnf install -y epel-release yum-utils \
&& dnf config-manager --enable epel \
&& dnf config-manager --set-enabled powertools \
&& dnf update -y \
&& dnf install -y \
openssl-devel libffi-devel bzip2-devel \
postgresql-libs postgresql-devel sqlite-devel \
gcc make wget \
httpd-devel \
libxml2-devel xmlsec1-devel xmlsec1-
git \
redhat-
python39-devel \
python39 \
postgresq
postgresql \
openssl \
libxml2 \
xmlsec1 \
xmlsec1-
&& dnf clean all \
&& rm -rf /var/cache/dnf
```
In our project we are using OneLogin Saml2 and when we create our metadata, or got a login request (xml artifact) the entire Python process crashes with a coredump.
With debugging I found out it was for example this line, causing the issue:
https:/
```
signature = xmlsec.
```
And after running a `pip freeze` I found out that our lxml library had been updated from `lxml==4.9.3 => lxml==5.1.0`
4.9.3 was working OK, so is 4.9.4
But 5.0.0, 5.0.1 and 5.1.0 are broken; all resulting in a segfault
```
jan 10 15:50:34 localhost.
```
I can provide more info if required, like a small test scenario, but I hope this already provides enough info.
Without looking into the details, the most likely reason seems the use of xmlsec. If that's based on the system libraries, then the libxml2 version is probably different (and possibly incompatible) for xmlsec and lxml.
Could you try it with a clean source build of lxml against your system libraries? I.e. not using the binary wheels from PyPI?