CVE-2006-6097
published 2006-11-24CVE-2006-6097: GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES…
PriorityP425medium4CVSS 2.0
AVNACHAuNCNIPAP
EXPLOIT
EPSS
11.08%
95.4th percentile
GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | tar | < tar 1.16-2 (bookworm) | tar 1.16-2 (bookworm) |
| gnu | tar | — | — |
| gnu | tar | — | — |
| gnu | tar | >= 0 < 1.16-2 | 1.16-2 |
| gnu | tar | >= 0 < 1.16-2 | 1.16-2 |
| gnu | tar | >= 0 < 1.16-2 | 1.16-2 |
| gnu | tar | >= 0 < 1.16-2 | 1.16-2 |
CVSS provenance
nvdv2.04.0MEDIUMAV:N/AC:H/Au:N/C:N/I:P/A:P
osv5.0MEDIUM
vendor_debian5.0HIGH
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
BSD
FreeBSD-SA-06:26.gtar: gtar name mangling symlink vulnerability
bsd_advisories·2006-12-06·CVSS 4.0
CVE-2006-6097 [MEDIUM] FreeBSD-SA-06:26.gtar: gtar name mangling symlink vulnerability
FreeBSD-SA-06:26.gtar Security Advisory
The FreeBSD Project
Topic: gtar name mangling symlink vulnerability
Category: contrib
Module: contrib_tar
Announced: 2006-12-06
Credits: Teemu Salmela
Affects: FreeBSD 4.x and 5.x releases
Corrected: 2006-12-06 09:16:17 UTC (RELENG_5, 5.5-STABLE)
2006-12-06 09:16:41 UTC (RELENG_5_5, 5.5-RELEASE-p9)
2006-12-06 09:17:09 UTC (RELENG_4, 4.11-STABLE)
2006-12-06 09:18:02 UTC (RELENG_4_11, 4.11-RELEASE-p26)
CVE Name: CVE-2006-6097
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
GNU tar (gtar) is a utility to create and extract "tape archives",
commonly known as tar files. GNU tar is included in FreeBSD 4.x as
/usr/bin/t
Ubuntu
tar vulnerability
vendor_ubuntu·2006-11-27
CVE-2006-6097 tar vulnerability
Title: tar vulnerability
Summary: tar vulnerability
Teemu Salmela discovered that tar still handled the deprecated
GNUTYPE_NAMES record type. This record type could be used to create
symlinks that would be followed while unpacking a tar archive. If a
user or an automated system were tricked into unpacking a specially
crafted tar file, arbitrary files could be overwritten with user
privileges.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
security flaw
vendor_redhat·2006-11-21·CVSS 5.0
CVE-2006-6097 [MEDIUM] security flaw
security flaw
GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216.
Statement: Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Debian
CVE-2006-6097: tar - GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attac...
vendor_debian·2006·CVSS 5.0
CVE-2006-6097 [MEDIUM] CVE-2006-6097: tar - GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attac...
GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216.
Scope: local
bookworm: resolved (fixed in 1.16-2)
bullseye: resolved (fixed in 1.16-2)
forky: resolved (fixed in 1.16-2)
sid: resolved (fixed in 1.16-2)
trixie: resolved (fixed in 1.16-2)
VulDB
GNU tar 1.15.1/1.16 TAR Archive GNUTYPE_NAMES path traversal (EDB-29160 / Nessus ID 67428)
vuldb·2026-04-28·CVSS 4.0
CVE-2006-6097 [MEDIUM] GNU tar 1.15.1/1.16 TAR Archive GNUTYPE_NAMES path traversal (EDB-29160 / Nessus ID 67428)
A vulnerability was found in GNU tar 1.15.1/1.16. It has been declared as problematic. This affects an unknown part of the component TAR Archive Handler. Such manipulation of the argument GNUTYPE_NAMES leads to path traversal.
This vulnerability is listed as CVE-2006-6097. The attack must be carried out from within the local network. In addition, an exploit is available.
It is recommended to use an alternative to replace the affected component.
GHSA
GHSA-f4p7-cvff-gr4c: GNU tar 1
ghsa_unreviewed·2022-05-03·CVSS 5.0
CVE-2006-6097 [MEDIUM] GHSA-f4p7-cvff-gr4c: GNU tar 1
GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216.
OSV
CVE-2006-6097: GNU tar 1
osv·2006-11-24·CVSS 5.0
CVE-2006-6097 [MEDIUM] CVE-2006-6097: GNU tar 1
GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216.
No detection rules found.
Bugzilla
CVE-2006-6097 security flaw
bugzilla·2018-08-16·CVSS 5.0
CVE-2006-6097 [MEDIUM] CVE-2006-6097 security flaw
CVE-2006-6097 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216.
---
Statement:
Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Bugzilla
CVE-2006-6097 GNU tar directory traversal
bugzilla·2006-12-05·CVSS 4.0
CVE-2006-6097 [MEDIUM] CVE-2006-6097 GNU tar directory traversal
CVE-2006-6097 GNU tar directory traversal
*** Bug 219500 has been marked as a duplicate of this bug. ***
Discussion:
fix affected version
---
20061214
Bugzilla
CVE-2006-6097 GNU tar directory traversal
bugzilla·2006-11-22·CVSS 4.0
CVE-2006-6097 [MEDIUM] CVE-2006-6097 GNU tar directory traversal
CVE-2006-6097 GNU tar directory traversal
Description of problem:
GNU tar contains a flaw, that makes tar overwrite an arbitrairy file when
extracting a crafted archive.
See the original advisory for details.
Steps to Reproduce:
#TAR=/usr/src/redhat/BUILD/tar-1.13.25/src/tar
TAR=tar
# crafting a symlink
gcc -o tarxyz tarxyz.c
./tarxyz > xyz.tar
# cleaning environment up
rm -f/home/$USER/hello.txt
rm -f xyz
# adding files, relative to xyz/
mkdir -p xyz/home/$USER
echo "Hello" > xyz/home/$USER/hello.txt
tar -rf xyz.tar xyz/home/$USER
# exploitation
rm -rf xyz # so symlink to / can be created
$TAR -xf xyz.tar
cat /home/$USER/hello.txt
Additional info:
All supported RHEL (2.1--4) and FC (5,6) releases are vulnerable
Discussion:
Kees Cook (of Ubuntu) reported an issue to upstre
ftp://patches.sgi.com/support/free/security/advisories/20061202-01-P.aschttp://docs.info.apple.com/article.html?artnum=305214http://kb.vmware.com/KanisaPlatform/Publishing/817/2240267_f.SAL_Public.htmlhttp://lists.apple.com/archives/security-announce/2007/Mar/msg00002.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050812.htmlhttp://rhn.redhat.com/errata/RHSA-2006-0749.htmlhttp://secunia.com/advisories/23115http://secunia.com/advisories/23117http://secunia.com/advisories/23142http://secunia.com/advisories/23146http://secunia.com/advisories/23163http://secunia.com/advisories/23173http://secunia.com/advisories/23198http://secunia.com/advisories/23209http://secunia.com/advisories/23314http://secunia.com/advisories/23443http://secunia.com/advisories/23514http://secunia.com/advisories/23911http://secunia.com/advisories/24479http://secunia.com/advisories/24636http://security.freebsd.org/advisories/FreeBSD-SA-06:26.gtar.aschttp://security.gentoo.org/glsa/glsa-200612-10.xmlhttp://securityreason.com/securityalert/1918http://securitytracker.com/id?1017423http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.469379http://support.avaya.com/elmodocs2/security/ASA-2007-015.htmhttp://www.debian.org/security/2006/dsa-1223http://www.mandriva.com/security/advisories?name=MDKSA-2006:219http://www.openpkg.com/security/advisories/OpenPKG-SA-2006.038.htmlhttp://www.securityfocus.com/archive/1/453286/100/0/threadedhttp://www.securityfocus.com/archive/1/464268/100/0/threadedhttp://www.securityfocus.com/bid/21235http://www.trustix.org/errata/2006/0068/http://www.ubuntu.com/usn/usn-385-1http://www.us-cert.gov/cas/techalerts/TA07-072A.htmlhttp://www.vmware.com/support/esx25/doc/esx-254-200702-patch.htmlhttp://www.vupen.com/english/advisories/2006/4717http://www.vupen.com/english/advisories/2006/5102http://www.vupen.com/english/advisories/2007/0930http://www.vupen.com/english/advisories/2007/1171https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216937https://issues.rpath.com/browse/RPL-821https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10963ftp://patches.sgi.com/support/free/security/advisories/20061202-01-P.aschttp://docs.info.apple.com/article.html?artnum=305214http://kb.vmware.com/KanisaPlatform/Publishing/817/2240267_f.SAL_Public.htmlhttp://lists.apple.com/archives/security-announce/2007/Mar/msg00002.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050812.htmlhttp://rhn.redhat.com/errata/RHSA-2006-0749.htmlhttp://secunia.com/advisories/23115http://secunia.com/advisories/23117http://secunia.com/advisories/23142http://secunia.com/advisories/23146http://secunia.com/advisories/23163http://secunia.com/advisories/23173http://secunia.com/advisories/23198http://secunia.com/advisories/23209http://secunia.com/advisories/23314http://secunia.com/advisories/23443http://secunia.com/advisories/23514http://secunia.com/advisories/23911http://secunia.com/advisories/24479http://secunia.com/advisories/24636http://security.freebsd.org/advisories/FreeBSD-SA-06:26.gtar.aschttp://security.gentoo.org/glsa/glsa-200612-10.xmlhttp://securityreason.com/securityalert/1918http://securitytracker.com/id?1017423http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.469379http://support.avaya.com/elmodocs2/security/ASA-2007-015.htmhttp://www.debian.org/security/2006/dsa-1223http://www.mandriva.com/security/advisories?name=MDKSA-2006:219http://www.openpkg.com/security/advisories/OpenPKG-SA-2006.038.htmlhttp://www.securityfocus.com/archive/1/453286/100/0/threadedhttp://www.securityfocus.com/archive/1/464268/100/0/threadedhttp://www.securityfocus.com/bid/21235http://www.trustix.org/errata/2006/0068/http://www.ubuntu.com/usn/usn-385-1http://www.us-cert.gov/cas/techalerts/TA07-072A.htmlhttp://www.vmware.com/support/esx25/doc/esx-254-200702-patch.htmlhttp://www.vupen.com/english/advisories/2006/4717http://www.vupen.com/english/advisories/2006/5102http://www.vupen.com/english/advisories/2007/0930http://www.vupen.com/english/advisories/2007/1171https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216937https://issues.rpath.com/browse/RPL-821https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10963
2006-11-24
Published