Gitlab-CE Omnibus 8.10.0, ClamAV finding Xml.Exploit.CVE_2013_3860-1

Since upgrading to 8.10.0, ClamAV is complaining about Xml.Exploit.CVE_2013_3860-1 found in:

/opt/gitlab/embedded/service/gem/ruby/2.1.0/cache/ruby-saml-1.3.0.gem: Xml.Exploit.CVE_2013_3860-1 FOUND
/opt/gitlab/embedded/service/gem/ruby/2.1.0/cache/nokogiri-1.6.8.gem: Xml.Exploit.CVE_2013_3860-1 FOUND
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/ruby-saml-1.3.0/test/responses/attackxee.xml: Xml.Exploit.CVE_2013_3860-1 FOUND
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/nokogiri-1.6.8/test/xml/test_document.rb: Xml.Exploit.CVE_2013_3860-1 FOUND

It’s a vulnerability relating to .NET:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3860

For now, I’m whitelisting with:

sigtool --md5 /opt/gitlab/embedded/service/gem/ruby/2.1.0/cache/ruby-saml-1.3.0.gem >> /var/lib/clamav/local.fp

Not sure if this is a bug or an FYI…

My system just finished its weekly system scan and these are hitting since my update to 8.10.0.

/home/git/.gem/ruby/2.2.0/cache/nokogiri-1.6.7.2.gem: Xml.Exploit.CVE_2013_3860-1 FOUND
/home/git/.gem/ruby/2.2.0/gems/nokogiri-1.6.7.2/test/xml/test_document.rb: Xml.Exploit.CVE_2013_3860-1 FOUND
/home/git/gitlab/vendor/bundle/ruby/2.2.0/cache/nokogiri-1.6.8.gem: Xml.Exploit.CVE_2013_3860-1 FOUND
/home/git/gitlab/vendor/bundle/ruby/2.2.0/cache/ruby-saml-1.3.0.gem: Xml.Exploit.CVE_2013_3860-1 FOUND
/home/git/gitlab/vendor/bundle/ruby/2.2.0/gems/nokogiri-1.6.8/test/xml/test_document.rb: Xml.Exploit.CVE_2013_3860-1 FOUND
/home/git/gitlab/vendor/bundle/ruby/2.2.0/gems/ruby-saml-1.3.0/test/responses/attackxee.xml: Xml.Exploit.CVE_2013_3860-1 FOUND

The funny thing about this is that what ClamAV is catching is the ruby-saml and nokogiri tests to make sure that they are not vulnerable to this attack.

The interesting thing is that both of those should have been there for quite some time. The test code was introduced into Nokogiri, for example, in v1.6.2 in 2013, and GitLab has been using 1.6.x for many months. Also, while GitLab was using ruby-saml 1.1.2 one month ago, that version should also already have had this test included.