Since upgrading to 8.10.0, ClamAV is complaining about Xml.Exploit.CVE_2013_3860-1 found in:
/opt/gitlab/embedded/service/gem/ruby/2.1.0/cache/ruby-saml-1.3.0.gem: Xml.Exploit.CVE_2013_3860-1 FOUND
/opt/gitlab/embedded/service/gem/ruby/2.1.0/cache/nokogiri-1.6.8.gem: Xml.Exploit.CVE_2013_3860-1 FOUND
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/ruby-saml-1.3.0/test/responses/attackxee.xml: Xml.Exploit.CVE_2013_3860-1 FOUND
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/nokogiri-1.6.8/test/xml/test_document.rb: Xml.Exploit.CVE_2013_3860-1 FOUND
It’s a vulnerability relating to .NET:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3860
For now, I’m whitelisting with:
sigtool --md5 /opt/gitlab/embedded/service/gem/ruby/2.1.0/cache/ruby-saml-1.3.0.gem >> /var/lib/clamav/local.fp
Not sure if this is a bug or an FYI…
My system just finished its weekly system scan and these are hitting since my update to 8.10.0.
/home/git/.gem/ruby/2.2.0/cache/nokogiri-1.6.7.2.gem: Xml.Exploit.CVE_2013_3860-1 FOUND
/home/git/.gem/ruby/2.2.0/gems/nokogiri-1.6.7.2/test/xml/test_document.rb: Xml.Exploit.CVE_2013_3860-1 FOUND
/home/git/gitlab/vendor/bundle/ruby/2.2.0/cache/nokogiri-1.6.8.gem: Xml.Exploit.CVE_2013_3860-1 FOUND
/home/git/gitlab/vendor/bundle/ruby/2.2.0/cache/ruby-saml-1.3.0.gem: Xml.Exploit.CVE_2013_3860-1 FOUND
/home/git/gitlab/vendor/bundle/ruby/2.2.0/gems/nokogiri-1.6.8/test/xml/test_document.rb: Xml.Exploit.CVE_2013_3860-1 FOUND
/home/git/gitlab/vendor/bundle/ruby/2.2.0/gems/ruby-saml-1.3.0/test/responses/attackxee.xml: Xml.Exploit.CVE_2013_3860-1 FOUND
The funny thing about this is that what ClamAV is catching is the ruby-saml
and nokogiri
tests to make sure that they are not vulnerable to this attack.
The interesting thing is that both of those should have been there for quite some time. The test code was introduced into Nokogiri, for example, in v1.6.2 in 2013, and GitLab has been using 1.6.x for many months. Also, while GitLab was using ruby-saml 1.1.2 one month ago, that version should also already have had this test included.