According to the posting on oss-security [1]: Alexis Vanden Eijnde has discovered a zipinfo buffer overflow... I shall attach a patch (constructed locally because upstream has no public VCS) after I submit this report. [1] https://marc.info/?l=oss-security&m=148095466614279&w=2 Reproducible: Always
Created attachment 455550 [details, diff] patch constrcuted according to the discussion on oss-security
Patch is in the Debian patchset which Gentoo ships: 19-cve-2016-9844-zipinfo-buffer-overflow.patch
@base-system, please clean vulnerable