Correct source package name for CVE-2018-5996, it's in the non-free p7zip-rar instead

There was created only one bug #888297 for both CVEs, but those CVEs one
affect p7zip (possibly, untriaged if the versions in Debian are
affected) and p7zip-rar in non-free (as well only possibly affected;
untriaged).