The am function in lib/hub/commands.rb in hub prior to 1.12.1 allows local users to overwrite arbitrary files via a symlink attack on a temporary patch file.
github hub