According to the posting on oss-security :
Alexis Vanden Eijnde has discovered a zipinfo buffer overflow...
I shall attach a patch (constructed locally because upstream has no public VCS) after I submit this report.
Created attachment 455550 [details, diff]
patch constrcuted according to the discussion on oss-security
Patch is in the Debian patchset which Gentoo ships:
@base-system, please clean vulnerable