Out of pure curtesy, I'm bringing this to your attention:
There you should find all the reference urls you need to judge whether
this is a vulnerability issue (one line patch, or so) or not. I'm not
really sure myself. This is not the same issue as was patched for GNU
Emacs, but similar.
This line is left blank intentionally