Hey.

This is merely a heads up about a security issue that was found a while ago in git itself and which was discussed in detail at [0] as well as [1] with a good overview and simple demo of an exploit at [2] and with a "fix" (i.e. rather a safeguard, that unfortunately even seems to default to the unsafe option) pending for release at [3].

In short, when cloning an untrusted repository and inspecting it (simple git commands or even cding into them, with things like git-prompt enabled, may be enough) allow apparently arbitrary code execution. Code which is controlled by a possible attacker.

Could you please check whether libgit2 is also affected by this issue and if so, provide some fix?

Similarly, it must be checked whether the work tree of a git repo would contain a .git dir, which would allow for the same attack with non-bare repos.
Git apparently already forbids this since long.

Thanks for checking,
Chris.