Segmentation fault on `xmlsec.tree.add_ids()` in Python Development Mode

[Anthchirp]

boom.py:

from lxml import etree

import xmlsec

template = etree.parse('sign1-res.xml').getroot()
xmlsec.tree.add_ids(template, ["ID"])

with sign-res.xml coming from the xmlsec examples.

Expected output

$ python boom.py
$

Observed output

$ PYTHONDEVMODE=1 python boom.py
Debug memory block at address p=0x5556aed07c40: API '!'
    15987178197214944733 bytes originally requested
    The 7 pad bytes at p-7 are not all FORBIDDENBYTE (0xfd):
        at p-7: 0x00 *** OUCH
        at p-6: 0x00 *** OUCH
        at p-5: 0x00 *** OUCH
        at p-4: 0x00 *** OUCH
        at p-3: 0x00 *** OUCH
        at p-2: 0x00 *** OUCH
        at p-1: 0x00 *** OUCH
    Because memory is corrupted at the start, the count of bytes requested
       may be bogus, and checking the trailing pad bytes may segfault.
    The 8 pad bytes at tail=0xddde33348cae5a1d are Fatal Python error: Segmentation fault

Current thread 0x00007fb7df1d8000 (most recent call first):
  File "boom.py", line 6 in <module>

Extension modules: lxml._elementpath, lxml.etree, xmlsec (total: 3)
Segmentation fault
$

Environment

I'm running on Ubuntu 22.04 with system python 3.10.6 and xmlsec 1.3.13.

pip list

Package            Version
------------------ -------------
blinker            1.4
chardet            4.0.0
cryptography       3.4.8
devscripts         2.22.1ubuntu1
dh-virtualenv      1.2.2
distro             1.7.0
httplib2           0.20.2
importlib-metadata 4.6.4
isodate            0.6.1
jeepney            0.7.1
keyring            23.5.0
launchpadlib       1.10.16
lazr.restfulclient 0.14.4
lazr.uri           1.0.6
lxml               4.9.2
more-itertools     8.10.0
netifaces          0.11.0
oauthlib           3.2.0
pip                22.0.2
PyGObject          3.42.1
PyJWT              2.3.0
pyparsing          2.4.7
python-apt         2.4.0+ubuntu1
python-debian      0.1.43ubuntu1
python3-saml       1.15.0
SecretStorage      3.3.1
setuptools         59.6.0
six                1.16.0
supervisor         4.2.1
VapourSynth        54
wadllib            1.3.6
wheel              0.37.1
xmlsec             1.3.13
zipp               1.0.0

apt list | grep xmlsec | grep installed

libxmlsec1-dev/jammy,now 1.2.33-1build2 amd64 [installed]
libxmlsec1-gcrypt/jammy,now 1.2.33-1build2 amd64 [installed,automatic]
libxmlsec1-gnutls/jammy,now 1.2.33-1build2 amd64 [installed,automatic]
libxmlsec1-nss/jammy,now 1.2.33-1build2 amd64 [installed,automatic]
libxmlsec1-openssl/jammy,now 1.2.33-1build2 amd64 [installed,automatic]
libxmlsec1/jammy,now 1.2.33-1build2 amd64 [installed,automatic]

[Anthchirp]

I checked whether this is an lxml <-> xmlsec issue, but it is not:

$ pip install --no-binary :all: --force-reinstall lxml
$ PYTHONDEVMODE=1 python boom.py
(...)
Segmentation fault

[jlthorel]

Hello just had a similar problem with xmlsec.tree.add_ids
program crash on this line without any error message
I solve the issue by falling back to lxml==4.9.3 instead of lxml==5.1.0

Brgds JL

[wonjae3091]

@jlthorel You saved my life...!! 👍

[downpat]

This fixed a problem for me too. It was causing a SAML SSO login failure for me. Has anyone submitted a bug to lxml? Their bug tracker is here: https://launchpad.net/lxml

[MaylinJeong]

@jlthorel You saved my life as well..! 💯

[rhenanbartels]

@jlthorel You're a life saver!! Thank you very much!🎉🎉
I had the same problem as @downpa and my SAML login was failing because of lxml library

[jake-lester]

@jlthorel thank you for saving us as well! You are the best!!!
We had issues recently with SSO on heroku where our ACS was failing. We isolated it to python3-saml validate_sign --> xmlsec xmlsec.tree.add_ids(elem, ["ID"]) ... thank you ❤️

[Daviazuos]

@jlthorel You saved my life!!

[vpatov]

We had the same issue with our SAML SSO failing due to a seg fault, downgrading lxml resolved the issue

[quique]

Hello just had a similar problem with xmlsec.tree.add_ids program crash on this line without any error message I solve the issue by falling back to lxml==4.9.3 instead of lxml==5.1.0

OMG, this was driving me crazy: my SAML SSO was failing most of the times, but sometimes it did work 😠 .
Downgrading xml fixed the issue :-) Thanks a lot for the tip!!!

[quique]

This fixed a problem for me too. It was causing a SAML SSO login failure for me. Has anyone submitted a bug to lxml? Their bug tracker is here: https://launchpad.net/lxml

I couldn't find any bug report about this, so I just submitted one:
https://bugs.launchpad.net/lxml/+bug/2054606

[andpena]

Hello just had a similar problem with xmlsec.tree.add_ids program crash on this line without any error message I solve the issue by falling back to lxml==4.9.3 instead of lxml==5.1.0

Brgds JL

Thank you very much! This solution worked for me too.

[quique]

This fixed a problem for me too. It was causing a SAML SSO login failure for me. Has anyone submitted a bug to lxml? Their bug tracker is here: https://launchpad.net/lxml

I couldn't find any bug report about this, so I just submitted one: https://bugs.launchpad.net/lxml/+bug/2054606

The folks at lxml closed the report.
They consider it is a third party issue (ie, that the problem lies in xmlsec).