canto-curses and canto-daemon are available in portage as version 0.8.4 (released in march of 2013), upstream released version 0.9.0 of both a few weeks ago. Reproducible: Always
Canto Curses 0.9.0 contains a security fix, as noted in the next comment.
CVE-2013-7416 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7416): canto_curses/guibase.py in Canto Curses before 0.9.0 allows remote feed servers to execute arbitrary commands via shell metacharacters in a URL in a feed.
Thanks for picking that up under the security banner, but shouldn't the version in portage get masked for the time being?
New versions of canto-curses and canto-daemon are in tree. Old versions was dropped. Package has never been stable, closing as noglsa