References: https://blogs.gentoo.org/ago/2017/06/28/xar-null-pointer-dereference-in-xar_unserialize-archive-c/
Package has no maintainer, CCing maintainer-needed
Supposedly fixed in 1.8 (according to bug #624642).
Yes the confirming in bug #624642 was done using a Gentoo Linux amd64 box.
Same issue reported in duplicate bug. CVE freed. *** This bug has been marked as a duplicate of bug 624642 ***