The vulnerability seems quite serious. It isn't practical to use fetchpatch here due to bootstrapping, so I just committed the small patch file.
Vladimír Čunát