CVE-2022-45866: qpress before PierreLvx/qpress 20220819 and before version 11.3, as used in Percona XtraBackup and other products, allows directory traversal via ../ in a .qp file. There's a mess of references: https://github.com/PierreLvx/qpress/pull/6 https://github.com/EvgeniyPatlan/qpress/commit/ddb312090ebd5794e81bc6fb1dfb4e79eda48761 https://github.com/PierreLvx/qpress/compare/20170415...20220819 https://github.com/percona/percona-xtrabackup/pull/1366 So I guess qpress is bundled in some places, and there's a couple different qpress GitHub repositories. I have no idea which, if any, are associated with the version we have packaged because the HOMEPAGE is dead, and attempting to fetch the zipfile from upstream triggers the domain-parker's WAF: $ curl http://www.quicklz.com/qpress-1.1-source.zip <html><head><title>406 Security Incident Detected[snip] I'm not sure if the xtrabackup reference is actually the same issue, because that pull request fixes a memory corruption issue.
