CVE-2022-45866: 
Linux Fedora vulnerability analysis and mitigation

qpress before PierreLvx/qpress 20220819 and before version 11.3, as used in Percona XtraBackup and other products, allows directory traversal via ../ in a .qp file. The vulnerability was discovered in 2022 and assigned identifier CVE-2022-45866. The issue affects the qpress file archiver, which is designed to utilize fast storage systems using QuickLZ compression (CVE Details, MITRE).

The vulnerability exists in the quicklz.c source file, specifically in the qlz_decompress function. The issue occurs when copying user-supplied binary data over heap allocated memory buffers of user-controlled size. The first memcpy invocation copies data from a user-provided compressed file into a heap-allocated buffer where the size is controlled by the user via the compressed file header. This allows heap corruption with user-controlled data (GitHub PR).

The vulnerability could potentially lead to heap corruption and arbitrary code execution in processes that utilize the vulnerable function. This is particularly concerning for applications like xbstream with the --decompress flag. The impact is significant as qpress is used in various products, including Percona XtraBackup, making the vulnerability's reach extensive (GitHub PR).

The vulnerability has been patched in PierreLvx/qpress version 20220819 and version 11.3. The fix includes implementing boundary checks for arrays before decompression and rejecting commands that attempt directory traversal. Updates have been released for various distributions including Fedora 35, 36, and 37 (Fedora Update).