Are remote git clients vulnerable to CVE-2014-9390 if only trusted users have SSH access?

Question

If I have a git client on a remote server and only X users have SSH access, should I be concerned with updating git on that server specifically to patch against CVE-2014-9390? It seems to me that the vulnerability is strictly related to .Git/config being clobbered on a case insensitive filesystem, which would require a git push, which would only ever be accepted (in this case) by trusted users that already have SSH access. Is that the case? Am I missing anything?

Related reading:

• http://article.gmane.org/gmane.linux.kernel/1853266
• http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html
• https://github.com/blog/1938-vulnerability-announced-update-your-git-clients

Answer 1

This only affects people who pull from untrustworthy repositories. If you know your repository, to which only trustworthy people have update access, does not have malicious contents, you would be safe without the patch.

If any of these trusted users' account is compromised and an impersonator is allowed to push malicious contents there, of course you are lost. But since you are assuming that will never happen, so ...