An important security patch for the qpress file archiver
TL;DR: If you rely on the
qpressfile archiver, you should update it ASAP.
On August 19th, 2022, Otto Kekalainen and Mikhail Chalov from AWS reached out by email to let me know they had found and fixed a directory traversal vulnerability in the
qpress file archiver.
Traversals are a big no-no, especially in production environments. On top of that, Percona and MariaDB rely on
qpress to perform database backups since it can compress large amounts of data very quickly, meaning that it’s bound to be installed on sensitive hosts.
Unfortunately, the project upstream is dead - which prompted me to fork it in the first place. As of this writing, the project homepage no longer loads.
Mikhail’s pull request is available here, with step-by-step instructions to reproduce the issue (which requires a malicious payload) if you are interested.
If you installed the
qpress archiver, either from the original source or an older version of my fork, you should build a fresh binary using the
20220819 tag (or later) of my fork, which includes Mikhail’s fix.
If you installed
qpress from a Linux repo, as far as I can tell, these are still using the original unpatched 2010 source. You should replace your executable with a freshly built binary which includes the patch.