The read_MSAT function in ole.c in libxls 1.4.0 has a double free that allows attackers to cause a denial of service (application crash) via a crafted file, a different vulnerability than CVE-2017-2897.
The read_MSAT_body function in ole.c in libxls 1.4.0 has an invalid free that allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, because of inconsistent memory management (new versus free) in ole2_read_header in ole.c.
Slyfox, please take a look at the two bugs, and advise if fixed or take appropriate actions.
Both are fixed in >=dev-libs/libxls-1.5.2-r1 (lowest available version in ::gentoo).
(In reply to Sergei Trofimovich from comment #2)
> Both are fixed in >=dev-libs/libxls-1.5.2-r1 (lowest available version in
This issue was resolved and addressed in
GLSA 202003-64 at https://security.gentoo.org/glsa/202003-64
by GLSA coordinator Thomas Deutschmann (whissi).