The Git client does not validate messages received from a Git server, and will print anything received, including ANSI escape codes, to the terminal. Under certain client environments, a malicious Git server or man-in-the-middle (MITM) could send malicious data, potentially resulting in execution of terminal escape sequences on the client machine. This could potentially result in code execution, arbitrary file writes, or other attacks when combined with the usage of vulnerable / buggy terminal emulators.
Created git tracking bugs for this issue:
Affects: fedora-all [bug 1541855]
Discussion on git mailing list:
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):