VULNERABILITY DETAILS
The code in libicu looking for a file in /usr/share/zoneinfo matching given timezone data has a buffer overflow. It assumes that all paths are shorter than PATH_MAX (= 4096), which is not true at all.

Here's the relevant code:
https://cs.chromium.org/chromium/src/third_party/icu/source/common/putil.cpp?sq=package:chromium&dr=C&rcl=1475853592&l=940

Relevant snippet:

    char curpath[MAX_PATH_SIZE];
    DIR* dirp = opendir(path);
    DIR* subDirp = NULL;
    struct dirent* dirEntry = NULL;

    [...snip...]

    /* Save the current path */
    uprv_memset(curpath, 0, MAX_PATH_SIZE);
    uprv_strcpy(curpath, path);

    /* Check each entry in the directory. */
    while((dirEntry = readdir(dirp)) != NULL) {
        const char* dirName = dirEntry->d_name;
        if (uprv_strcmp(dirName, SKIP1) != 0 && uprv_strcmp(dirName, SKIP2) != 0) {
            /* Create a newpath with the new entry to test each entry in the directory. */
            char newpath[MAX_PATH_SIZE];
            uprv_strcpy(newpath, curpath);
            uprv_strcat(newpath, dirName);
    [...snip...]
    }

Clearly, if strlen(curpath) + strlen(dirname) > PATH_MAX, then uprv_strcat writes after newpath buffer.

The impact probably isn't very large, as you need elevated privileges to add stuff to /usr/share/zoneinfo anyway.

VERSION
Chrome Version: all
Operating System: Linux, probably others.

REPRODUCTION CASE
First you need to create very long path in /usr/share/zoneinfo. You'll likely need to temporarily move your regular timezone file away from /usr/share/zoneinfo so that it's not found before your crafted path. Then it works something like this:

xyzzyz@xyzzyz:~/chromium/src$ gdb -- ./out/Default/base_unittests 
GNU gdb (GDB) 7.9-gg19
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-grtev4-linux-gnu".
Type "show configuration" for configuration details.

<http://go/gdb-home FAQ: http://go/gdb-faq Email: c-toolchain-team IRC: gdb>
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
---- Loading Rust pretty-printers ----
Reading symbols from ./out/Default/base_unittests...done.
Unable to determine compiler version.
Skipping loading of libstdc++ pretty-printers for now.
Non-google3 binary detected.
(gdb) break ../../third_party/icu/source/common/putil.cpp:939 if strlen(curpath) + strlen(dirName) > 4096
Breakpoint 1 at 0x11224f9: file ../../third_party/icu/source/common/putil.cpp, line 939.
(gdb) r
Starting program: /usr/local/google/home/xyzzyz/chromium/src/out/Default/base_unittests 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/grte/v4/lib64/libthread_db.so.1".
Debugger detected, switching to single process mode.
Pass --test-launcher-debug-launcher to debug the launcher itself.

Breakpoint 1, searchForTZFile (
    path=0x7ffffffd9ff0 "/usr/share/zoneinfo/America/A", 'a' <repeats 171 times>..., 
    tzInfo=0xc328ecb24a0) at ../../third_party/icu/source/common/putil.cpp:939
939                 uprv_strcpy(newpath, curpath);
(gdb) p strlen(curpath)
$1 = 4060
(gdb) p strlen(dirName)
$2 = 251
(gdb) n
940                 uprv_strcat(newpath, dirName);
(gdb) n
942                 if ((subDirp = opendir(newpath)) != NULL) {
(gdb) p strlen(newpath)
$3 = 4311