How do I scan a git repository for possible CVE-2014-9390 malicious commits?

Question

Using stock git porcelain and plumbing, how does one search all reachable commits for instances of possibly malicious additions to .GiT, .gIt, and so on?

For context, see

• [ANNOUNCE] Git v2.2.1 (and updates to older maintenance tracks)
• Git 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1 and thanking friends in Mercurial land
• Vulnerability announced: update your Git clients
• https://security-tracker.debian.org/tracker/CVE-2014-9390

Answer 1

From the first link you've given (Git v2.2.1 Release Notes / Fixes since v2.2):

"git fsck" notices a tree object that records such a path that can be confused with ".git"

So, just update to the latest git, run git fsck, and you are done.