search

dragonflydb / dragonfly

A modern replacement for Redis and Memcached
https://www.dragonflydb.io/
Other
25.45k stars 919 forks source link

Unpatched Redis Sources (CVE-2022-33105) #3830

Open Garnik645 opened 2 days ago

Garnik645 commented 2 days ago

The master branch of the dragonfly project contains unpatched sources from redis, in which CVE-2022-33105 was reported with high severity. The function streamGetEdgeID from dragonfly/src/redis/t_stream.c does not include patches and updates available in newer versions of redis, which can cause a memory leak. The fix for CVE can be found in this commit: redis commit.

To ensure that all patches are applied, I recommend updating the redis files in the dragonfly project to the latest version.

My report was primarily based on a static analysis tool developed at CAST, which flagged the potential vulnerability due to similarities in the codebase.

romange commented 2 days ago

Thanks for reporting this, we will sync t_stream with Valkey OSS.