A flaw was found in libgit2 which allows arbitrary file write when recursively cloning a malicious repository. libgit2 can be tricked into writing files outside the .git/modules directory. This is a variant of git CVE-2018-11235.
Created libgit2 tracking bugs for this issue:
Affects: fedora-all [bug 1596744]
After deeper analysis with upstream help, we determined libgit2 is not vulnerable to any variant of CVE-2018-11235.
Thus I'm closing this as NOTABUG.