Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 882779 (CVE-2022-45866)

Summary: [Tracker] Vulnerabilty in app-arch/qpress
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 882783, 882781    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-24 15:57:02 UTC 
CVE-2022-45866:

qpress before PierreLvx/qpress 20220819 and before version 11.3, as used in Percona XtraBackup and other products, allows directory traversal via ../ in a .qp file.

There's a mess of references:

https://github.com/PierreLvx/qpress/pull/6
https://github.com/EvgeniyPatlan/qpress/commit/ddb312090ebd5794e81bc6fb1dfb4e79eda48761
https://github.com/PierreLvx/qpress/compare/20170415...20220819
https://github.com/percona/percona-xtrabackup/pull/1366

So I guess qpress is bundled in some places, and there's a couple
different qpress GitHub repositories. I have no idea which, if any,
are associated with the version we have packaged because the HOMEPAGE
is dead, and attempting to fetch the zipfile from upstream triggers
the domain-parker's WAF:

$ curl http://www.quicklz.com/qpress-1.1-source.zip
<html><head><title>406 Security Incident Detected[snip]

I'm not sure if the xtrabackup reference is actually the same issue,
because that pull request fixes a memory corruption issue.