[Rpm-maint] [rpm-software-management/rpm] Defensive handling for rpm %{*:xml} with oversized or malformed metadata (Discussion #4082)

Pradeep Jagtap notifications at github.com
Thu Jan 8 03:50:30 UTC 2026 

### Background
The rpm query formatter %{*:xml} can hang indefinitely when processing packages with excessively large or malformed metadata. This issue is reproducible with a locally built RPM containing very large description fields (50+ MB). When triggered, the process consumes high CPU and ignores SIGINT/SIGTERM, requiring SIGKILL to terminate.
This can block automation, asset scanners, CI pipelines, or any tooling relying on rpm queries.

### Observed Behavior
- rpm hangs, high CPU (~80%)
- SIGINT/SIGTERM ignored
- Only SIGKILL terminates process

### Steps to Reproduce
**Prepare build environment**
~~~
# dnf install -y rpm-build
# mkdir -p ~/rpmbuild/{SPECS,SOURCES}
~~~

**Create oversized metadata payload**
~~~
# python3 - << 'EOF'
with open("large_desc.txt", "w") as f:
    f.write("A" * 50_000_000)  # 50 MB description
EOF
~~~

~~~
# mv large_desc.txt ~/rpmbuild/SOURCES/ 
~~~

**Create SPEC file with oversized metadata**
~~~
# cat ~/rpmbuild/SPECS/metadata-stress.spec
Name:           metadata-stress 
Version:        1.0 
Release:        1%{?dist} 
Summary:        Metadata stress test package 

License:        GPL 
Source0:        large_desc.txt 

%description 
%{lua: 
 local f = io.open(rpm.expand("%{SOURCE0}"), "r") 
 local data = f:read("*all") 
 f:close() 
 print(data) 
} 

%prep 
%build 
%install 
mkdir -p %{buildroot}/usr/share/metadata-stress 
echo test > %{buildroot}/usr/share/metadata-stress/testfile 

%files 
/usr/share/metadata-stress/testfile
~~~

**Build and install the package**
~~~
# rpmbuild -ba ~/rpmbuild/SPECS/metadata-stress.spec
# dnf install -y ~/rpmbuild/RPMS/*/metadata-stress-1.0-1*.rpm
~~~

**Trigger hang**
~~~
# rpm -q --queryformat '[%{*:xml}]' metadata-stress
~~~

### Expected Behavior
- Fail gracefully with clear error for malformed/oversized metadata
- Abort XML formatting once limits are exceeded
- Honor interrupts / signals

### Discussion Points
- Should rpm impose a maximum metadata size or iteration limits for %{*:xml}?
- Should a timeout or signal check be added in the XML formatter loop?
- Are there alternative defensive strategies for handling pathological metadata?
- Could this be generalized to other queryformatters, or only %{*:xml}?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/discussions/4082
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/repo-discussions/4082 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20260107/f2f1de9f/attachment.htm>

More information about the Rpm-maint mailing list