It was found that SSH key handling code follows symlinks, allowing malicious user to create symlink from ~/.ssh pointing to arbitrary place. CVE request: http://seclists.org/oss-sec/2016/q1/336
Created cloud-init tracking bugs for this issue: Affects: fedora-all [bug 1308874] Affects: epel-all [bug 1308875]
There is no realistic attack vector here (the bug report assumes that an unprivileged user can write to a different user's directories). Hence closing the bug.