Description:
CVE-2019-19917 Lout 3.40 has a buffer overflow in the StringQuotedWord() function in z39.c.
CVE-2019-19918 Lout 3.40 has a heap-based buffer overflow in the srcnext() function in z02.c.

lout fails to build from source due to missing systemd in make depends so sysusers.d is not available to create the users group [1].
Patch fixing both CVEs from Fedora [2]. PKGBUILD.diff [3] also adjusts the custom Makefile to use CPPFLAGS CFLAGS and LDFLAGS so adds FULL RELRO e.t.c..

Additional info:
* lout 3.40-2
[1] lout-3.40-2-x86_64-package.log
[2] https://src.fedoraproject.org/rpms/lout/blob/rawhide/f/lout-3.40-cve.patch
[3] PKGBUILD.diff

Steps to reproduce:
Build package in a clean chroot.