A security issue was found in Git up to version 2.30.1. On case-insensitive file systems with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone. It is fixed in Git versions 2.17.6, 2.18.5, 2.19.6, 2.20.5, 2.21.4, 2.22.5, 2.23.4, 2.24.4, 2.25.5, 2.26.3, 2.27.1, 2.28.1, 2.29.3 and 2.30.2.
A security issue was found in Git up to version 2.30.1. On case-insensitive file systems with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone. It is fixed in Git versions 2.17.6, 2.18.5, 2.19.6, 2.20.5, 2.21.4, 2.22.5, 2.23.4, 2.24.4, 2.25.5, 2.26.3, 2.27.1, 2.28.1, 2.29.3 and 2.30.2.
https://lkml.org/lkml/2021/3/9/995 https://github.com/git/git/commit/684dd4c2b414bcf648505e74498a608f28de4592
Vulmon