The master branch of the dragonfly project contains unpatched sources from redis, in which CVE-2022-33105 was reported with high severity. The function streamGetEdgeID from dragonfly/src/redis/t_stream.c does not include patches and updates available in newer versions of redis, which can cause a memory leak. The fix for CVE can be found in this commit: redis commit.
To ensure that all patches are applied, I recommend updating the redis files in the dragonfly project to the latest version.
My report was primarily based on a static analysis tool developed at CAST, which flagged the potential vulnerability due to similarities in the codebase.
The master branch of the dragonfly project contains unpatched sources from redis, in which CVE-2022-33105 was reported with high severity. The function
streamGetEdgeID
fromdragonfly/src/redis/t_stream.c
does not include patches and updates available in newer versions of redis, which can cause a memory leak. The fix for CVE can be found in this commit: redis commit.To ensure that all patches are applied, I recommend updating the redis files in the dragonfly project to the latest version.
My report was primarily based on a static analysis tool developed at CAST, which flagged the potential vulnerability due to similarities in the codebase.