Impact
Git already refuses to check out tree entries when their paths contains a forward slash, as that is a directory separator (i.e. the directory name should be recorded in a different tree object than the actual file name). On Windows, the backslash is also a valid directory separator, but Git did not handle it the same way as a forward slash.
This makes it possible for maliciously-crafted repositories to overwrite arbitrary files during a clone.
Patches
The problem has been patched in Git for Windows v2.24.1(2), published on Tuesday, December 10th, 2019. It is highly recommended to upgrade.
Workarounds
Avoid cloning untrusted repositories.
References
Impact
Git already refuses to check out tree entries when their paths contains a forward slash, as that is a directory separator (i.e. the directory name should be recorded in a different tree object than the actual file name). On Windows, the backslash is also a valid directory separator, but Git did not handle it the same way as a forward slash.
This makes it possible for maliciously-crafted repositories to overwrite arbitrary files during a clone.
Patches
The problem has been patched in Git for Windows v2.24.1(2), published on Tuesday, December 10th, 2019. It is highly recommended to upgrade.
Workarounds
Avoid cloning untrusted repositories.
References