A buffer overflow can occur when calculating the quantile value using the Statistics Library of GSL (GNU Scientific Library), versions 2.5 and 2.6. Processing a maliciously crafted input data for gsl_stats_quantile_from_sorted_data of the library may lead to unexpected application termination or arbitrary code execution. References: https://savannah.gnu.org/bugs/?59624 https://git.savannah.gnu.org/cgit/gsl.git/commit/?id=989a193268b963aa1047814f7f1402084fb7d859
Created gsl tracking bugs for this issue: Affects: fedora-all [bug 2243104]
Upstream commit for this issue: https://git.savannah.gnu.org/cgit/gsl.git/commit/?id=989a193268b963aa1047814f7f1402084fb7d859
The buffer overflow happens at gsl_stats_quantile_from_sorted_data() function from statistics/quantiles_source.c when the `f` parameter is outside the expected value (a fraction between 0 and 1), causing a out-of-bounds read of user-controlled data array parameter in one of following lines: if (lhs == n - 1) { result = sorted_data[lhs * stride] ; <-------------------------------------------------------------------------- } else { result = (1 - delta) * sorted_data[lhs * stride] + delta * sorted_data[(lhs + 1) * stride] ; <-------------------- } as a result the application using the function will crash with a segmentation fault. Since the buffer overflow happens when reading that and the base array is provided by the user, it's very unlikely an attacker could achieve arbitrary code execution.