Matt Mackall and Augie Fackler discovered that Git incorrectly handled certainfilesystem paths. A remote attacker could possibly use this issue to executearbitrary code if the Git tree is stored in an HFS+ or NTFS filesystem. Theremote attacker would need write access to a Git repository that the victimpulls from.
The problem can be corrected by updating your system to the following
To update your system, please follow these instructions:
After a standard system update you need to set the core.protectHFS and/orcore.protectNTFS Git configuration variables to "true" if you store Git treesin HFS+ and/or NTFS filesystems. If you host Git trees, setting thecore.protectHFS, core.protectNTFS, and receive.fsckObjects Git configurationvariables to "true" will cause your Git server to reject objects containingmalicious paths intended to overwrite the Git metadata.