CVE-2008-3356

Name of the Vulnerable Software and Affected Versions Ingres versions 2.6, 9.0.4, 9.1.0

Description The issue allows local users to overwrite arbitrary files by creating a symlink with an iivdb.log filename, due to the verifydb in Ingres setting the ownership or permissions of an iivdb.log file without verifying that it is the application's own log file.

Recommendations For Ingres version 2.6, ensure that the iivdb.log file is properly verified before setting its ownership or permissions. For Ingres version 9.0.4, restrict access to the verifydb function to prevent unauthorized modifications to the iivdb.log file. For Ingres version 9.1.0, consider disabling the verifydb function until a proper fix is applied to prevent the overwrite of arbitrary files.