International Components for Unicode (ICU) for C/C++ has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_moveIndex32* function. References: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=437 Upstream patch: http://bugs.icu-project.org/trac/changeset/39671
Created icu tracking bugs for this issue: Affects: fedora-all [bug 1444101] Created mingw-icu tracking bugs for this issue: Affects: epel-7 [bug 1444100] Affects: fedora-all [bug 1444099]
This is the same vulnerability as CVE-2017-7867 (bug 1444097), though clusterfuzz identified it as different due to a slightly different stack trace when the crash occurred. Both are addressed by the same patch upstream, which correctly accounts for legacy 6-byte utf8 sequences.
*** This bug has been marked as a duplicate of bug 1444097 ***
Statement: This flaw was found to be a duplicate of CVE-2017-7867. Please see https://access.redhat.com/security/cve/CVE-2017-7867 for information about affected products and security errata.