@ytrezq reported a heap-based memory corruption bug in Git that exploited an unsigned to signed integer conversion. An attacker could have exploited this flaw by pushing a malicious repository to GitHub to perform a denial of service or possibly read/write to unexpected memory locations. We addressed the bug by updating Git to use unsigned integers consistently. We also added validation logic to Git that looks for potentially malicious repository contents (ex. excessively long path lengths).

CVE-2016-2315 has been created for this vulnerability and can be found in the National Vulnerability Database when it is published.