Created attachment 472374 [details, diff] rxvt-unicode-defense-in-depth-fix.patch As discussed via personal email and on oss-sec, the attached patch should be applied to the rxvt-unicode patch.
This is not a security bug.
(In reply to Jason A. Donenfeld from comment #0) > Created attachment 472374 [details, diff] [details, diff] > rxvt-unicode-defense-in-depth-fix.patch Jason, has upstream accepted the patch yet? > As discussed via personal email and on oss-sec, the attached patch should be > applied to the rxvt-unicode patch. Well, you asked me to apply the patch and I asked what upstream thinks of it. That's not a discussion. The last thing you said about it was: "rxvt-unicode isn't vulnerable, but the patch I sent you is worth applying as a defense-in-depth measure. I've sent it upstream and am awaiting their response." I am awaiting their response, too. No related commits yet, nothing on the mailing list (where did you send that e-mail to?), no updates in the Changes file.
Okay, no problem. I'll poke upstream again and also add them to this bug report.