Looked into stable/diablo and although it doesn't support file injection (so it's not vulnerable to this precise issue), it's still vulnerable to Padraig's variation (upload an image with symlinks in meta.js, /etc/network or /root/.ssh). The impact is slightly lower in the second case, since it's harder to inject arbitrary data, but it affects more setups.
I think we should treat those as two separate issues, two separate CVEs, though probably in the same patch:
* Matthias's is about arbitrary file injection through <personality>, affects Essex/Folsom in libvirt-based setups
* Padraig's is about file corruption through net/ssh/metadata injection, affects Diablo/Essex/Folsom, libvirt & xen setups
Looked into stable/diablo and although it doesn't support file injection (so it's not vulnerable to this precise issue), it's still vulnerable to Padraig's variation (upload an image with symlinks in meta.js, /etc/network or /root/.ssh). The impact is slightly lower in the second case, since it's harder to inject arbitrary data, but it affects more setups.
I think we should treat those as two separate issues, two separate CVEs, though probably in the same patch:
* Matthias's is about arbitrary file injection through <personality>, affects Essex/Folsom in libvirt-based setups Essex/Folsom, libvirt & xen setups
* Padraig's is about file corruption through net/ssh/metadata injection, affects Diablo/
Thoughts ?