A flaw was found in the way the git-remote-ext helper processed certain
URLs. If a user had Git configured to automatically clone submodules from
untrusted repositories, an attacker could inject commands into the URL of
a submodule, allowing them to execute arbitrary code on the user's system.
--