Debian-LTS has issued an advisory today (January 31):
The upstream commit is linked from here:
Mageia 5 is also affected.
The updated packages fix a security vulnerability:
An error in the lha_read_file_header_1() function (archive_read_support_format_lha.c) in libarchive 3.2.2 allows remote attackers to trigger an out-of-bounds read memory access and subsequently cause a crash via a specially crafted archive. (CVE-2017-5601)
Updated packages in core/updates_testing:
MGA5-32 on Asus A6000VM Xfce
No installation issues
$ strace -o libarchive.txt engrampa
created an empty test.tar.gz archive and added a folder to it having 39 subfolders and 620 files of all sorts (odt, doc, ods, xlsx, odp, jpeg, png, pnm, pdf and some more)
Found numerous calls to libarchive in the trace
Moved the test.tar.gz archive to other folder, and extracted there. Found all folders back, opened some folders of different types, no problem found.
Similar testing on my x86_64 system.
Validating the update
advisory MGA5-32-OK =>
advisory MGA5-32-OK MGA5-64-OKKeywords:
An update for this issue has been pushed to the Mageia Updates repository.