diff -Nru encfs-1.9.1/debian/changelog encfs-1.9.1/debian/changelog
--- encfs-1.9.1/debian/changelog	2016-12-12 16:38:41.000000000 +0000
+++ encfs-1.9.1/debian/changelog	2017-02-14 22:03:28.000000000 +0000
@@ -1,3 +1,15 @@
+encfs (1.9.1-4) unstable; urgency=high
+
+  * Cherry-picked from upstream:
+    + Replaced zero_pwd_segfault patch with another fix from upstream branch
+      which forces a clean exit instead of a behavior that confused some encfs
+      frontends (closes: #853916)
+      (source: 5994b28542e7f551b71ac471ff9aacf6dcd5a3b0 / Jakob Unterwurzacher)
+    + improve_example: safer command execution example with quotes ("$*")
+      (source: ecc364df0d7269c65d2858039aaeaf27ea0e4da6 / Charles Duffy)
+
+ -- Eduard Bloch <blade@debian.org>  Tue, 14 Feb 2017 23:03:28 +0100
+
 encfs (1.9.1-3) unstable; urgency=medium
 
   * Uploading to Sid
diff -Nru encfs-1.9.1/debian/patches/improve_example encfs-1.9.1/debian/patches/improve_example
--- encfs-1.9.1/debian/patches/improve_example	1970-01-01 00:00:00.000000000 +0000
+++ encfs-1.9.1/debian/patches/improve_example	2017-02-14 22:03:28.000000000 +0000
@@ -0,0 +1,29 @@
+commit ecc364df0d7269c65d2858039aaeaf27ea0e4da6
+Author: Charles Duffy <chaduffy@cisco.com>
+Date:   Thu Dec 22 16:37:12 2016 -0600
+
+    Suggest "$@", not $*, in documentation
+    
+    `$*` operates by:
+    
+    - Concatenating all arguments with the first character in `IFS` (by default a space) into a single string
+    - Splitting that string on all characters found in `IFS` to join a list of words
+    - Expanding each of those words as a glob character
+    
+    Thus, using `$*` in a wrapper means that an argument such as `"one word"` becomes two arguments, `one` and `word`, and an argument `'*.txt'` can be replaced with an entirely unknown number of arguments (`one.txt`, `two.txt`) despite its quoting.
+    
+    Use `"$@"` to pass an argument vector through literally without any kind of expansion.
+
+diff --git a/encfs/encfs.pod b/encfs/encfs.pod
+index 0d4085c..982f9b5 100644
+--- a/encfs/encfs.pod
++++ b/encfs/encfs.pod
+@@ -182,7 +182,7 @@ Note that encfs arguments cannot be set this way.  If you need to set encfs
+ arguments, create a wrapper, such as  encfs-reverse;
+ 
+     #!/bin/sh
+-    encfs --reverse $*
++    encfs --reverse "$@"
+ 
+ Then mount using the script path
+ 
diff -Nru encfs-1.9.1/debian/patches/series encfs-1.9.1/debian/patches/series
--- encfs-1.9.1/debian/patches/series	2016-12-12 16:38:41.000000000 +0000
+++ encfs-1.9.1/debian/patches/series	2017-02-14 22:03:28.000000000 +0000
@@ -4,4 +4,4 @@
 manpage_fixes
 zero_pwd_segfault
 deprecate_RAND_pseudo_bytes 
-
+improve_example
diff -Nru encfs-1.9.1/debian/patches/zero_pwd_segfault encfs-1.9.1/debian/patches/zero_pwd_segfault
--- encfs-1.9.1/debian/patches/zero_pwd_segfault	2016-12-12 16:38:41.000000000 +0000
+++ encfs-1.9.1/debian/patches/zero_pwd_segfault	2017-02-14 22:03:28.000000000 +0000
@@ -1,34 +1,44 @@
-commit c3a7da5eff4055e77dc9404b0c15945485232bf2
-Author: Ian Lee <ian.rob.lee@gmail.com>
-Date:   Mon Oct 31 14:38:56 2016 +0000
+commit 5994b28542e7f551b71ac471ff9aacf6dcd5a3b0
+Author: Jakob Unterwurzacher <jakobunt@gmail.com>
+Date:   Sun Feb 5 13:52:48 2017 +0100
 
-    Fix a segfault when password is zero length.
+    Exit with a fatal error on empty password
     
-    if useStdin and configMode == Config_Prompt, default to Config_Standard,
-    otherwise we might read the password input at the wrong place.
+    The requirement that the password is not empty was not enforced
+    properly in all getUserKey() variants. Add the check to makeKey()
+    instead that is called in every code path.
+    
+    This also fixes the crash desribed at https://github.com/vgough/encfs/issues/241 .
 
 diff --git a/encfs/FileUtils.cpp b/encfs/FileUtils.cpp
-index 39a3b88..edd2b71 100644
+index 39a3b88..f50d007 100644
 --- a/encfs/FileUtils.cpp
 +++ b/encfs/FileUtils.cpp
-@@ -956,7 +956,9 @@ RootPtr createV6Config(EncFS_Context *ctx,
-   const std::string passwordProgram = opts->passwordProgram;
-   bool useStdin = opts->useStdin;
-   bool reverseEncryption = opts->reverseEncryption;
--  ConfigMode configMode = opts->configMode;
-+  ConfigMode configMode = (useStdin &&
-+                           opts->configMode == Config_Prompt) ? Config_Standard
-+                                                              : opts->configMode;
-   bool annotate = opts->annotate;
- 
-   RootPtr rootInfo;
-@@ -1169,6 +1171,9 @@ RootPtr createV6Config(EncFS_Context *ctx,
-   else
-     userKey = config->getNewUserKey();
+@@ -1348,6 +1348,11 @@ CipherKey EncFSConfig::makeKey(const char *password, int passwdLen) {
+   CipherKey userKey;
+   std::shared_ptr<Cipher> cipher = getCipher();
  
-+  if (userKey == nullptr)
-+    return rootInfo;
++  if (passwdLen == 0) {
++    cerr << _("fatal: zero-length passwords are not allowed\n");
++    exit(1);
++  }
 +
-   cipher->writeKey(volumeKey, encodedKey, userKey);
-   userKey.reset();
+   // if no salt is set and we're creating a new password for a new
+   // FS type, then initialize salt..
+   if (salt.size() == 0 && kdfIterations == 0 && cfgType >= Config_V6) {
+@@ -1389,10 +1394,12 @@ CipherKey EncFSConfig::getUserKey(bool useStdin) {
+   }
+ 
+   CipherKey userKey;
+-  if (!res)
+-    cerr << _("Zero length password not allowed\n");
+-  else
++  if (!res) {
++    cerr << _("fatal: error reading password\n");
++    exit(1);
++  } else {
+     userKey = makeKey(passBuf, strlen(passBuf));
++  }
+ 
+   memset(passBuf, 0, sizeof(passBuf));