In libksba, there is a buffer overflow on line 516 in append_ucs2_value() function:

503 c = *s++ << 8;
504 c |= *s++;
505 n += 2;
506 i=0;
507 if (c < (1<<11))
508 {
509 tmp[i++] = 0xc0 | ( c >> 6);
510 tmp[i++] = 0x80 | ( c & 0x3f);
511 }
512 else
513 {
514 tmp[i++] = 0xe0 | ( c >> 12);
515 tmp[i++] = 0x80 | ((c >> 6) & 0x3f);
516 tmp[i++] = 0x80 | ( c & 0x3f);
517 }
518 put_stringbuf_mem (sb, tmp, i);

The tmp buffer is declared as

467 unsigned char tmp[2];

I think the proper fix is to extend the tmp buffer to
be at least 3 chars long.