lens-bar-keynavigation periodically writes to /tmp/wut.png

No security impact because of the symlink restrictions in Ubuntu....it's just...bad coding.

Verified by a trusted friend, and Unity has the following line from the diff ref'd above:

    cairo_surface_write_to_png(cairo_get_target(cr), "/tmp/wut.png");

Seriously unclean. Also, unsafe usage of tmp.

The symlink restrictions are solely in the kernel, which people might have to replace for various reasons. In other words: It might not be a security issue on plain - unmodified - Ubuntu, but it is still a security issue.
Just sayin'

Fix committed into lp:unity at revision None, scheduled for release in unity, milestone 7.1.1

This bug was fixed in the package unity - 7.1.0+13.10.20130816.3-0ubuntu1

---------------
unity (7.1.0+13.10.20130816.3-0ubuntu1) saucy; urgency=low

  [ Michal Hruby ]
  * Make sure we emit row_added signals for all rows present in a model
    when changing a model Model::SetModel(). (LP: #1212580)

  [ Andrew McCarthy ]
  * added photo lens shortcut to the shortcuts hint window (lp:
    #1069644). (LP: #1069644)

  [ Stephen M. Webb ]
  * added photo lens shortcut to the shortcuts hint window (lp:
    #1069644). (LP: #1069644)
  * removed debug output thatcould cause a potential security problem
    (lp: #1051921). (LP: #1051921)

  [ Nick Dedekind ]
  * Don't re-add the rows for filters and categories if the model
    changes.
  * Fixed duplicate categories in scope caused by full resync on model
    change. (LP: #1212945)

  [ Chris Townsend ]
  * Fix issue where the same app on different workspaces would not allow
    alt-tab to work properly when trying to switch to the last used app
    on the same workspace. (LP: #1211261)

  [ Ubuntu daily release ]
  * Automatic snapshot from revision 3473
 -- Ubuntu daily release <email address hidden> Fri, 16 Aug 2013 11:47:59 +0000

Thanks, Y'all!

Don't see there is anything for sponsors to do here (it's merged in precise's branch already).

Any idea when this will be SRU'd to Precise? It's been merged for a few months now.

Actually, it doesn't seem to be fixed in Precise. This is the latest changelog entry of the current Precise version:

unity (5.20.0-0ubuntu3) precise-proposed; urgency=low

  * Add initial support for pointer barriers with xinput2 api. (LP: #1242633)
    - Fallback to xfixes stays available.
  * Bump dependencies to compile with both pointer barriers implementations.

 -- Maarten Lankhorst <email address hidden> Thu, 05 Sep 2013 11:58:32 +0200

It's 0ubuntu3 as the one in the proposed patch, but it's actually a completely different entry, referencing a different bug.

As can be seen in http://bazaar.launchpad.net/~unity-team/unity/5.0/changes/2425?start_revid=2425, the commit was submitted in revision 2423, but there have been no Unity 5 releases after that.

Is there going to be a last Unity 5 release, or is 5.20 the last one?

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release