In Long Range Zip (aka lrzip) 0.631, there is a use-after-free in read_stream in stream.c, because decompress_file in lrzip.c lacks certain size validation.
Checked the source code the vuln seems to affect these versions too:
0.621 (stable) 0.630 (testing)
Gentoo Security Scout
All fixed in master.
Tree is clean!
Unable to check for sanity:
> dependent bug #624462 is missing keywords
Resetting sanity check; package list is empty or all packages are done.
GLSA Vote: No
Thank you all for you work.
Closing as [noglsa].