CVE-2008-3356

Properties

Published:
04.08.2008
Updated:
06.08.2008
Patch available:
Severity:
Medium
CVSS vector:
(AV:L/AC:L/Au:N/C:P/I:P/A:P)
Product:
Ingres: Ingres
Ingres: Ingres
Ingres: Ingres
Ingres: Ingres
Ingres: Ingres

Vulnerability description

verifydb in Ingres 2.6, Ingres 2006 release 1 (aka 9.0.4), and Ingres 2006 release 2 (aka 9.1.0) on Linux and other Unix platforms sets the ownership or permissions of an iivdb.log file without verifying that it is the application's own log file, which allows local users to overwrite arbitrary files by creating a symlink with an iivdb.log filename.

References:

IDEFENSE: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=731
http://www.ingres.com/support/security-alert-080108.php: http://www.ingres.com/support/security-alert-080108.php
BID: http://www.securityfocus.com/bid/30512
SECTRACK: http://securitytracker.com/id?1020613
SECUNIA: http://secunia.com/advisories/31357