A logic bug when dealing with the parsing of the git/.config file, which could be triggered via git submodules. The relevant function for the vuln here is git_config_copy_or_rename_section_in_file(), which would remove or rename configuration sections in-place in the config file. It would take config lines via fgets() into a 1KB buffer, though if the input exceeded 1024 bytes, it would call fgets() again and create a new line entry in the config file even if one wasn’t present before. This can allow an attacker to inject arbitrary sections in the git config, including one to run a shell command to get code execution.

Impact is somewhat limited because triggering this issue requires the victim to deinitialize, remove, or rename a submodule with a large URL, which not only requires user interaction but is also unlikely.