Segmentation fault with lxml 5.0.0 on Linux

[taesungh]

I've been using python3-saml for a while and recently encountered a new major issue on fresh installations which seems to be caused by the lxml toolkit for Python recently releasing version 5.0.0. The program encounters a segmentation fault when processing the ACS endpoint or generating metadata.

This core issue might be with xmlsec/python-xmlsec, but I'm not familiar with the inner workings of xmlsec.template.create to definitively say.

Minimal Reproducible Example

Dockerfile

FROM python:3.9

RUN apt-get update && apt-get install -y libxml2-dev libxmlsec1-dev libxmlsec1-openssl
RUN pip install python3-saml

RUN mkdir certs
RUN openssl req -new -x509 -days 3652 -nodes -out certs/sp.crt -keyout certs/sp.key -subj /

COPY main.py .
CMD ["python3", "main.py"]

Python program in main.py

import faulthandler

from onelogin.saml2.settings import OneLogin_Saml2_Settings

faulthandler.enable()

saml_settings = OneLogin_Saml2_Settings(
    {
        "sp": {
            "entityId": "sp",
            "assertionConsumerService": {"url": "https://sp.com"},
        },
        "idp": {
            "entityId": "idp",
            "singleSignOnService": {"url": "https://idp.com"},
        },
        "security": {
            "signMetadata": True,
        },
    },
    custom_base_path=".",
)
metadata = saml_settings.get_sp_metadata()
print(metadata)

Expected Behavior

The SAML metadata should be generated and printed

Actual Behavior

The metadata signing causes a segmentation fault

Fatal Python error: Segmentation fault

Current thread 0x00007fc16b317b80 (most recent call first):
  File "/usr/local/lib/python3.8/site-packages/onelogin/saml2/utils.py", line 738 in add_sign
  File "/usr/local/lib/python3.8/site-packages/onelogin/saml2/metadata.py", line 216 in sign_metadata
  File "/usr/local/lib/python3.8/site-packages/onelogin/saml2/settings.py", line 740 in get_sp_metadata
  File "main.py", line 23 in <module>

To produce expected behavior

Add "lxml<5" to the pip install command in the Dockerfile and observe the metadata can be properly signed

Additional Information

• From more experimentation with the Dockerfile, the issue occurs on other Python versions including 3.8 and 3.12.
• I do not face this issue when running the same experiment on macOS 12 with libxmlsec1 v1.2.37
• The fatal error message is occasionally different such as "Bus error" or "Floating point exception" (line 763)
• I encountered a similar issue when running in AWS Lambda (Runtime.ExitError, floating point exception)

[taesungh]

Ahh I wish I spent a little longer searching: a similar issue was reported in #360, and this issue seems to be resolved when installing lxml not from binary as noted in the project README

RUN pip install python3-saml --no-binary lxml

[taesungh]

See #389 for ongoing discussion.

[agustingomes]

@taesungh I was struggling with this issue, and thanks to you creating it, I reached the workaround 🙏🏼