Description
It was reported that git, when used as a client on a case-insensitive
filesystem, could allow the overwrite of the .git/config file when the client
performed a "git pull". Because git permitted committing .Git/config (or any
case variation), on the pull this would replace the user's .git/config. If
this malicious config file contained defined external commands (such as for
invoking and editor or an external diff utility) it could allow for the
execution of arbitrary code with the privileges of the user running the git
client (CVE-2014-9390).