Segmentation fault in Python Development Mode

[Anthchirp]

When running .get_sp_metadata() with the additional runtime checks of the Python Development Mode the interpreter crashes with a segmentation fault.

Expected output

$ python boom.py
This is fine.

Observed output

$ PYTHONDEVMODE=1 python boom.py
Debug memory block at address p=0x560098099e80: API '!'
    0 bytes originally requested
    The 7 pad bytes at p-7 are not all FORBIDDENBYTE (0xfd):
        at p-7: 0x00 *** OUCH
        at p-6: 0x00 *** OUCH
        at p-5: 0x00 *** OUCH
        at p-4: 0x00 *** OUCH
        at p-3: 0x00 *** OUCH
        at p-2: 0x00 *** OUCH
        at p-1: 0x00 *** OUCH
    Because memory is corrupted at the start, the count of bytes requested
       may be bogus, and checking the trailing pad bytes may segfault.
    The 8 pad bytes at tail=0x560098099e80 are not all FORBIDDENBYTE (0xfd):
        at tail+0: 0x10 *** OUCH
        at tail+1: 0x29 *** OUCH
        at tail+2: 0x77 *** OUCH
        at tail+3: 0x7b *** OUCH
        at tail+4: 0x92 *** OUCH
        at tail+5: 0x7f *** OUCH
        at tail+6: 0x00 *** OUCH
        at tail+7: 0x00 *** OUCH

Enable tracemalloc to get the memory block allocation traceback

Fatal Python error: _PyMem_DebugRawFree: bad ID: Allocated using API '!', verified using API 'm'
Python runtime state: initialized

Current thread 0x00007f927bfd1000 (most recent call first):
  File "/usr/local/lib/python3.10/dist-packages/onelogin/saml2/utils.py", line 763 in add_sign
  File "/usr/local/lib/python3.10/dist-packages/onelogin/saml2/metadata.py", line 216 in sign_metadata
  File "/usr/local/lib/python3.10/dist-packages/onelogin/saml2/settings.py", line 740 in get_sp_metadata
  File "boom.py", line 128 in <module>

Extension modules: lxml._elementpath, lxml.etree, xmlsec (total: 3)
Aborted

Environment

I'm running on Ubuntu 22.04 with system python 3.10.6 and python3-saml 1.15.0.

pip list

Package            Version
------------------ -------------
blinker            1.4
chardet            4.0.0
cryptography       3.4.8
devscripts         2.22.1ubuntu1
dh-virtualenv      1.2.2
distro             1.7.0
httplib2           0.20.2
importlib-metadata 4.6.4
isodate            0.6.1
jeepney            0.7.1
keyring            23.5.0
launchpadlib       1.10.16
lazr.restfulclient 0.14.4
lazr.uri           1.0.6
lxml               4.9.2
more-itertools     8.10.0
netifaces          0.11.0
oauthlib           3.2.0
pip                22.0.2
PyGObject          3.42.1
PyJWT              2.3.0
pyparsing          2.4.7
python-apt         2.4.0+ubuntu1
python-debian      0.1.43ubuntu1
python3-saml       1.15.0
SecretStorage      3.3.1
setuptools         59.6.0
six                1.16.0
supervisor         4.2.1
VapourSynth        54
wadllib            1.3.6
wheel              0.37.1
xmlsec             1.3.13
zipp               1.0.0

boom.py:

from onelogin.saml2.settings import OneLogin_Saml2_Settings

s = {
    "contactPerson": {
        "support": {
            "emailAddress": "support@wibble.example",
            "givenName": "Supporty McSupportFace",
        }
    },
    "debug": False,
    "organization": {
        "en-GB": {
            "displayname": "Wibble Ltd",
            "name": "Wibble Ltd",
            "url": "https://wibble.example",
        }
    },
    "security": {
        "authnRequestsSigned": True,
        "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256",
        "failOnAuthnContextMismatch": True,
        "logoutRequestSigned": True,
        "logoutResponseSigned": True,
        "nameIdEncrypted": True,
        "requestedAuthnContext": False,
        "signMetadata": True,
        "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
        "wantAssertionsEncrypted": True,
        "wantAssertionsSigned": True,
        "wantMessagesSigned": True,
        "wantNameId": True,
        "wantNameIdEncrypted": True,
    },
    "sp": {
        "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
        "assertionConsumerService": {
            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
            "url": "https://pam.wibble.example/ui/saml/acs",
        },
        "entityId": "My PAM Service",
        "privateKey": "\n"
        "MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDqEWzpkO1f+FyN\n"
        "PWMEdkmeDdImLzigB+csutW1i0Kq8RXLSKhsKFmvSXywCPkoN9GIpfvbv+uKxAXc\n"
        "0jJlf1KKiifiWZYqm2ZgFuw3GcKBQaF+yJORe+2qdcqp75i+DMZ+vsUwKpwbp2SH\n"
        "+hZ/NRwiUAoNyQ7DR1v7z8kJxcOKihWJcbvNassQF8A5PPMPi0ubHOdLXxq1bg5u\n"
        "uDZDEFf8W2b4yUk39HpmcuRgL/nlpn6V8OtpdaV+XQk7eB8Veh2jpVVzqGgW4FFn\n"
        "1Gn90jYWh6B0pgGBGCPZVDCu5Wa+4hVkbNrEHwdCbI4cTUJnae4o02WcFJZyBPUJ\n"
        "kPowdY5k3/zNW/NWj9URY8hTEHARdh3v/jeqVWIdgoHFjnGtp7Z5aw8+SyXxgfOS\n"
        "cIjUxc2DGcfAw6nhYWOnGn8/0H67KmKY+vFPzpNiwbG5KdNjJJLLKSnPVGP4YEbc\n"
        "xWC5i77YHckZd3aLh8KEH2PgmsvYxTK6+thAuiBMEAcLZpHkS4KqU96LvjVL4SF3\n"
        "sBwTI74L+wL5Zgn9j5lx0x4nhnaUn2IRLyFNlrGuoT2/0NEGfbOyNhSP9NEKfEzS\n"
        "G1IPvojS5oP+itJ/3tFDvKCZlvLId7xWkzIdvNGFVpS2wPNc8WALQsv74velILLb\n"
        "Z9dHn5LLQrU/pD6jIdrq8+k27RWY6wIDAQABAoICAQClsrRBHCGOgMk0CzLfY8V1\n"
        "qB8OfPs+/pk+Zv0GyZDmZkihYcwo1N+4YPNtwsxvFiS08Zu70r8xutbTndGjXGDY\n"
        "Rjk52WWev+fXOiL6VrgEvKtQjzk4El0LANv5NO4SDAUwkGgTUvaz9OoMAJSQdM53\n"
        "0+VqINzcjNWnC08sJd3pYxsf822ZW3Jo8AdZ/bWrWVaqdemex7KmoUSCSNHQ4+8F\n"
        "bMcWc5frjpxfjhHxrcTgN98A0k40l94R+FaizMRkddApms9FUwBswVuffxWRY5B6\n"
        "noSOTz5dXvNx1FGqXidAFdhDAXRUxgpjkWmAy4iooKrCJ/SUa1adXLkCjqkuSOoF\n"
        "UFBocp3uiO/G2ypIRcP/EaoV+JHzDsNly+CnWsuPgVVU82BxxmexzlU2Kh9WGOcT\n"
        "Jpo064UQcs2SFckR/Ky7h5tCO789W1ohiFEQBVwmSUf5mqOGUdM2vk4Xe4etPcKM\n"
        "3mqZioV/g9su6LCKlahx4UiqmTrsdScxSc/4XwpOnNhEkS6Y3qvjt0voNWZTkhLv\n"
        "lVld05ttLhNsOytydWVSRphVGoOz0c1r1eLmo2bVflaXWPlkDcgtxlWyBMijxOJt\n"
        "IjkLjF3jWA2AqDPa//YGEC5MtvdMT+VNmUcb2LsE7+7VWkyIq+EMLvkTgwHV3RMN\n"
        "8GEgv/kP0ZOAObItYpX8AQKCAQEA/0woDI8BPwmpY1UvI90FG4dIS2pFjubG33+/\n"
        "DSuvIV2TUIysPElaSCBexyCsHSXMv28qMc2fjHci1XY5Rk63Om758B/LMiq7UXEe\n"
        "jBvxOMcRIMYKKCM5Q5r85Uw3kBzigplHHrk1eKkj87nNuUjYyUUYiRdHiXcgYeey\n"
        "OqiQXIUKOfDlr6TKgQNYyegYfN/spc25odMaOoEJne7AztG1QblyKOiLVQJ1avs0\n"
        "G3OaRjRaLjbAHAxRk5ALboNOhyVYB2YewhYG5coN6rk+RJuBGmnwsNWjTF9JMGbQ\n"
        "ssgimO+7KCmd9+8vgRnnBDsKkrHZlFXSbW1SVDkk3pZulbCD6wKCAQEA6rZQYhWs\n"
        "ieSDm8B42F29fj042aNcJCyVRQBldgMBLfS/E6CBLfEVT52FOIX3Mc2N3StVINpN\n"
        "0UVZ0W1/auLAeRGHio/ezd/kZfxVfu+9utmghoB6+JMG8ogbuaK5J5FYzXr5+Gxo\n"
        "3iPVX2SHilgsECHKeN/l0la9sNSRZ6rKDjqAsjTXTZvChmGY0+ng75pA4WRVNDBZ\n"
        "tNFHZ9/3gPwAulW7bRJrEIjjANS/H4LfqC9E3/ILzGKG+AOXcE4d/KHgfJN5XPOc\n"
        "C5Mp6e/nJctatZiafxfZlZK6OzARB7JxFAzqmbxGGa7yZTMUWUBN9p07sOqKADDg\n"
        "cXESyYxwcnr/AQKCAQEAiFVtFbfQnI9WS9uTvv0q2xaVfuCToMqQ7Y3Uwv3PGmxU\n"
        "XTGiUNeDRP00X/aMs0waWSjOSaZbS7Hbgk8OKwOiSaw2AQuZgYLcYZOdEolhekak\n"
        "WPIpPmIBFJ9R6kmXanhiZgfguQGDEpqQvnk86XODgYhKn/s0kq5xNpd60GRwI1hQ\n"
        "q7x/jBreoaLd6YTuftE+GRURyt9nJFMAhbyYbloDB8Q2uK3mqlETzzuzCe3kNxWC\n"
        "Cyfl05Sog7rqv+uTJgzFQ74/Mrp8mH4cjHq8S/sXKLnmdSjBeelwtk5RqQfDohRz\n"
        "x/DhkSPEJJdmjRXSgaBEZzillRZKXvvdOpjvGTUYXQKCAQEA2npSYLrkHIdFqpmC\n"
        "44R+ex/p50yU3GdTmyM/TpaFZo3HvzFMjcM3nyB1faPV8dnxD8riNu5+OSpg7P0L\n"
        "+iaQGyIiFOzO7LxYEkbMHphy95bUQd8emHvjn6bqh+Xci+RT0RGD1aa0BvM8Dsu5\n"
        "DyH8AhgyLEnd1+k+MXfs0Z687nmuijN9ppQygnwekkPGScJAWo3Wcfn/xrx3x01H\n"
        "Sh1JYCmliWX3mzCQfZmLPn3ISvmVFxBrwxiDoiFVugg9CYh1OgDcm5V3z55xCX1y\n"
        "oE+mZBtk1KESvJQUHjwj3hJQB+XuCqSibA3ZPDJL4rhk2gaKJahsRLk6ct5aKpo7\n"
        "oZS0AQKCAQA2b+2z/Q3X57dRAQToChTJsRX0O7HtaB7Bp8s/MjCJyxbyNcoV8P7j\n"
        "w3ZEZzropvuQxKVpQ4iYE8rSNApJGjibx77ipRaF4VBxqnB6NG1fjJSQHrK1+a1S\n"
        "Zs88EQIB2AAelAMq9nFsDCaPkyUFNyll3sLlA9tIO5A7MBISM8sXf6ZuWD14ATIm\n"
        "JhjoE7zOogW4CoxXwVsP/Yvepuz2zV3K67ukdbBEG6eiWPO4X8E5TzPO30u5Q/CI\n"
        "OS3WvQXZMmtJrYW7XKn0IVHKD6+YmSNgkBQXz/R8+kCd/j766PyUMxtgj+Afc7R/\n"
        "dd2IcyGcFQ2sNMMUk0WPC3LuaRGcphwk",
        "x509cert": "\n"
        "MIIFZTCCA02gAwIBAgIUKKsfVuB0saLEGTx64T9KP+g33E4wDQYJKoZIhvcNAQEL\n"
        "BQAwQjELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE\n"
        "CgwTRGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yMDEwMDIxNTQ2MDFaFw0zMDA5MzAx\n"
        "NTQ2MDFaMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAa\n"
        "BgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwggIiMA0GCSqGSIb3DQEBAQUAA4IC\n"
        "DwAwggIKAoICAQDqEWzpkO1f+FyNPWMEdkmeDdImLzigB+csutW1i0Kq8RXLSKhs\n"
        "KFmvSXywCPkoN9GIpfvbv+uKxAXc0jJlf1KKiifiWZYqm2ZgFuw3GcKBQaF+yJOR\n"
        "e+2qdcqp75i+DMZ+vsUwKpwbp2SH+hZ/NRwiUAoNyQ7DR1v7z8kJxcOKihWJcbvN\n"
        "assQF8A5PPMPi0ubHOdLXxq1bg5uuDZDEFf8W2b4yUk39HpmcuRgL/nlpn6V8Otp\n"
        "daV+XQk7eB8Veh2jpVVzqGgW4FFn1Gn90jYWh6B0pgGBGCPZVDCu5Wa+4hVkbNrE\n"
        "HwdCbI4cTUJnae4o02WcFJZyBPUJkPowdY5k3/zNW/NWj9URY8hTEHARdh3v/jeq\n"
        "VWIdgoHFjnGtp7Z5aw8+SyXxgfOScIjUxc2DGcfAw6nhYWOnGn8/0H67KmKY+vFP\n"
        "zpNiwbG5KdNjJJLLKSnPVGP4YEbcxWC5i77YHckZd3aLh8KEH2PgmsvYxTK6+thA\n"
        "uiBMEAcLZpHkS4KqU96LvjVL4SF3sBwTI74L+wL5Zgn9j5lx0x4nhnaUn2IRLyFN\n"
        "lrGuoT2/0NEGfbOyNhSP9NEKfEzSG1IPvojS5oP+itJ/3tFDvKCZlvLId7xWkzId\n"
        "vNGFVpS2wPNc8WALQsv74velILLbZ9dHn5LLQrU/pD6jIdrq8+k27RWY6wIDAQAB\n"
        "o1MwUTAdBgNVHQ4EFgQUHQnq55Od+WoFik6TXYV9Id7ru0gwHwYDVR0jBBgwFoAU\n"
        "HQnq55Od+WoFik6TXYV9Id7ru0gwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B\n"
        "AQsFAAOCAgEACemRaRLsnDFcaoXGehXwl3Uvf0LfG4XTVpElj5xcnq59jSw9K0dH\n"
        "gH9EwBJM7Sz0omxQDP2J9Cx8La6mTCr31KcQ83CwRruzuNTO2kBGZ/nG+XJBWMlh\n"
        "HbPr8v/Uc1VxZbbASbBWZBiT6crywqtnaIwP16EX1o99GqDEp5tSJFzcdjVjInxm\n"
        "E89gEMODj3BcZqYdObCP14jZN5l2SJgMShxTTVi7se5ROPPbXd1XEpKo/t1MCbIH\n"
        "vbHfsZEJ/BBi+LyqpaFwhSPZXJ3YAQKxmPlqO6GaZxSSxsXPq8k7SS0Hz6DlLtgd\n"
        "T4GzCnAcUko8vxEaR/r5vNQPZfdlF26Son9gbyMW4vcQ3Z9lGria1Kx2SZqWbFwb\n"
        "LiXbBWxFPbxEqqmx+rVNMceO9lpob8fjxCBGMkB5X/ob1Y19tI9FNbRrq+f6ireo\n"
        "MmXlFUC6ZK0on6MaqcPTOBZugyMZWrq0zcgscL6GQkPlA2cHIOXP4OTyE83aLACA\n"
        "75Pq2Kaz2VZFJRmaAUQzDNlxqtmkpTpO7RT5gayHJnfQgBHdXYODnXoCX8yRa7eE\n"
        "lmkhlGlshxqYHSp+4wjx2f+yZbasxg9n/DbQ+2vYwrajgqhhH7Rak0KVUAq7OI2P\n"
        "sawivRIEFDvN3CBR8Iq8d6GkJ/lJ/6PWbxW6jH0sjqCpQ/g4ueguZzg=",
    },
}
settings = OneLogin_Saml2_Settings(settings=s, sp_validation_only=True)
metadata = settings.get_sp_metadata()
print("This is fine.")

[Anthchirp]

This is not a python3-saml issue, it's an xmlsec problem. Reported upstream.