Git through 2.14.2 mishandles layers of tree objects, which allows remote attackers to cause a denial of service (memory consumption) via a crafted repository, aka a Git bomb. This can also have an impact of disk consumption; however, an affected process typically would not survive its attempt to build the data structure in memory before writing to disk. External References: https://kate.io/blog/git-bomb/ References: https://github.com/Katee/git-bomb
Created git tracking bugs for this issue: Affects: fedora-all [bug 1510457]
git <= 2.14.3 is vulnerable here, I believe. The upstream commit which resolves this is https://git.kernel.org/pub/scm/git/git.git/commit/?id=a937b37e76 (merged yesterday). I imagine we'll see some maint releases from upstream shortly. The commit applies cleanly to 2.9.x (which f25 runs). I didn't look any further back than that.