lharc.c in lha does not securely create temporary files, which might allow local users to read or write files by creating a file before LHA is invoked.
the vuln has no affected gentoo. app-arch/lha doesn't have the issue because it uses lha-autoconf version and it has no the vuln reported by upstream. http://lists.sourceforge.jp/mailman/archives/lha-users/2007-April/000428.html http://lists.sourceforge.jp/mailman/archives/lha-users/2007-April/000431.html
Matsuu thanks for the analysis.