Bernhard R. Link has reported a security issue in rxvt, which can be exploited by malicious, local users to gain escalated privileges.
The security issue is caused due to the program using ":0" as it's X11 display if the DISPLAY environment variable is missing. This can be exploited to execute arbitrary commands with the privileges of the user running rxvt via a malicious X server.
The security issue is reported in version 2.6.4. Other versions may also be affected.
Do not run rxvt on untrusted systems.
Restrict local access to trusted users only.
Fixed ebuild committed to the tree.
Arches, please test and mark stable:
Target keywords: alpha amd64 hppa mips ppc ppc64 sparc x86
Already stabled: amd64
D'oh, I managed to forget CC'ing arches as well.
Also CC'ing killerfox as he's probably interested in the patch because of bug 219760 (rxvt-unicode).
mips is ~arch-only.
Created attachment 151785 [details, diff]
patch against 2.7.10
Patch sent upstream  (and added to this bug for completeness and so that I could link to it).
Sorry for the arch cc'ing mess yesterday, btw (first I forgot to click "Add archs", then I noticed that I missed release, then dirtyepic noticed I accidently added mips...;)).
Stable for HPPA.
Fixed in release snapshot.