TL;DR: If you rely on the qpress file archiver, you should update it ASAP.

On August 19th, 2022, Otto Kekalainen and Mikhail Chalov from AWS reached out by email to let me know they had found and fixed a directory traversal vulnerability in the qpress file archiver.

Traversals are a big no-no, especially in production environments. On top of that, Percona and MariaDB rely on qpress to perform database backups since it can compress large amounts of data very quickly, meaning that it’s bound to be installed on sensitive hosts.

Unfortunately, the project upstream is dead - which prompted me to fork it in the first place. As of this writing, the project homepage no longer loads.

Mikhail’s pull request is available here, with step-by-step instructions to reproduce the issue (which requires a malicious payload) if you are interested.

If you installed the qpress archiver, either from the original source or an older version of my fork, you should build a fresh binary using the 20220819 tag (or later) of my fork, which includes Mikhail’s fix.

If you installed qpress from a Linux repo, as far as I can tell, these are still using the original unpatched 2010 source. You should replace your executable with a freshly built binary which includes the patch.