It was reported [1] that git, when used as a client on a case-insensitive filesystem (such as FAT, FAT32, NTFS, HFS+, etc.), could allow the overwrite of the .git/config file when the client performed a "git pull". Because git permitted committing .Git/config (or any case variation), on the pull this would replace the user's .git/config. If this malicious config file contained defined external commands (such as for invoking and editor or an external diff utility) it could allow for the execution of arbitrary code with the privileges of the user running the git client. [1] http://article.gmane.org/gmane.linux.kernel/1853266 Statement: This flaw is only exploitable when the local git repository is stored on a case-insensitive filesystem. By default, Red Hat Enterprise Linux uses case-sensitive filesystems (such as ext2/3/4, XFS, etc.) and as such is not vulnerable to this flaw.
*** Bug 1175959 has been marked as a duplicate of this bug. ***