International Components for Unicode (ICU) for C/C++ 63.1 has an integer overflow in number::impl::DecimalQuantity::toScientificString() in i18n/number_decimalquantity.cpp. References: https://bugs.chromium.org/p/chromium/issues/detail?id=900059 https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51 https://unicode-org.atlassian.net/browse/ICU-20246
Created icu tracking bugs for this issue: Affects: fedora-all [bug 1646703]
Statement: This issue did not affect the versions of icu as shipped with Red Hat Enterprise Linux 5, 6 and 7 as they did not include the vulnerable class. This issue did not affect the versions of java-1.6.0-openjdk, java-1.7.0-openjdk and java-1.8.0-openjdk as shipped with Red Hat Enterprise Linux 5, 6 and 7 as they did not include the vulnerable class. This issue did not affect the versions of webkitgtk4 as shipped with Red Hat Enterprise Linux 7 as they did not include the vulnerable class.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-18928