ID CVE-2006-6097
Summary GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216.
References
Vulnerable Configurations
  • GNU tar 1.15.1
    cpe:2.3:a:gnu:tar:1.15.1
  • GNU tar 1.16
    cpe:2.3:a:gnu:tar:1.16
CVSS
Base: 4.0 (as of 27-11-2006 - 14:12)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK HIGH NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL PARTIAL
exploit-db via4
description GNU Tar 1.1x GNUTYPE_NAMES Remote Directory Traversal Vulnerability. CVE-2006-6097. Remote exploit for linux platform
id EDB-ID:29160
last seen 2016-02-03
modified 2006-11-21
published 2006-11-21
reporter Teemu Salmela
source https://www.exploit-db.com/download/29160/
title GNU Tar 1.1x GNUTYPE_NAMES Remote Directory Traversal Vulnerability
nessus via4
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_3DD7EB5880AE11DBB4EC000854D03344.NASL
    description Teemu Salmela reports : There is a tar record type, called GNUTYPE_NAMES (an obsolete GNU extension), that allows the creation of symbolic links pointing to arbitrary locations in the filesystem, which makes it possible to create/overwrite arbitrary files.
    last seen 2019-02-21
    modified 2018-11-21
    plugin id 23759
    published 2006-12-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23759
    title FreeBSD : gtar -- GNUTYPE_NAMES directory traversal vulnerability (3dd7eb58-80ae-11db-b4ec-000854d03344)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_TAR-2344.NASL
    description This security update fixes a directory traversal in tar, where unpacked symlinks could be followed outside of the directory where the tar file is unpacked. (CVE-2006-6097) The problematic feature has been made optional and is disabled by default. It can be enabled by a commandline switch.
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29585
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29585
    title SuSE 10 Security Update : tar (ZYPP Patch Number 2344)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_4_9.NASL
    description The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.9 or a version of Mac OS X 10.3 which does not have Security Update 2007-003 applied. This update contains several security fixes for the following programs : - ColorSync - CoreGraphics - Crash Reporter - CUPS - Disk Images - DS Plugins - Flash Player - GNU Tar - HFS - HID Family - ImageIO - Kernel - MySQL server - Networking - OpenSSH - Printing - QuickDraw Manager - servermgrd - SMB File Server - Software Update - sudo - WebLog
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 24811
    published 2007-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24811
    title Mac OS X < 10.4.9 Multiple Vulnerabilities (Security Update 2007-003)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0749.NASL
    description Updated tar packages that fix a path traversal flaw are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive. Teemu Salmela discovered a path traversal flaw in the way GNU tar extracted archives. A malicious user could create a tar archive that could write to arbitrary files to which the user running GNU tar has write access. (CVE-2006-6097) Users of tar should upgrade to this updated package, which contains a replacement backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 23959
    published 2006-12-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23959
    title RHEL 2.1 / 3 / 4 : tar (RHSA-2006:0749)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_TAR-2351.NASL
    description This security update fixes a directory traversal in tar, where unpacked symlinks could be followed outside of the directory where the tar file is unpacked. (CVE-2006-6097) This feature was made optional and needs to be enabled with a commandline option.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27463
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27463
    title openSUSE 10 Security Update : tar (tar-2351)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_TAR-2343.NASL
    description This security update fixes a directory traversal in tar, where unpacked symlinks could be followed outside of the directory where the tar file is unpacked. (CVE-2006-6097) This feature was made optional and needs to be enabled with a commandline option.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27462
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27462
    title openSUSE 10 Security Update : tar (tar-2343)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0749.NASL
    description Updated tar packages that fix a path traversal flaw are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive. Teemu Salmela discovered a path traversal flaw in the way GNU tar extracted archives. A malicious user could create a tar archive that could write to arbitrary files to which the user running GNU tar has write access. (CVE-2006-6097) Users of tar should upgrade to this updated package, which contains a replacement backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 23941
    published 2006-12-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23941
    title CentOS 3 / 4 : tar (CESA-2006:0749)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2006-0749.NASL
    description From Red Hat Security Advisory 2006:0749 : Updated tar packages that fix a path traversal flaw are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive. Teemu Salmela discovered a path traversal flaw in the way GNU tar extracted archives. A malicious user could create a tar archive that could write to arbitrary files to which the user running GNU tar has write access. (CVE-2006-6097) Users of tar should upgrade to this updated package, which contains a replacement backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-08-13
    plugin id 67428
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67428
    title Oracle Linux 3 / 4 : tar (ELSA-2006-0749)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-219.NASL
    description GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216. The updated packages have been patched to address this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24603
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24603
    title Mandrake Linux Security Advisory : tar (MDKSA-2006:219)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2006-335-01.NASL
    description New tar packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and 11.0 to fix a security issue.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 24659
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24659
    title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 8.1 / 9.0 / 9.1 : tar (SSA:2006-335-01)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200612-10.NASL
    description The remote host is affected by the vulnerability described in GLSA-200612-10 (Tar: Directory traversal vulnerability) Tar does not properly extract archive elements using the GNUTYPE_NAMES record name, allowing files to be created at arbitrary locations using symlinks. Once a symlink is extracted, files after the symlink in the archive will be extracted to the destination of the symlink. Impact : An attacker could entice a user to extract a specially crafted tar archive, possibly allowing for the overwriting of arbitrary files on the system extracting the archive. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 23862
    published 2006-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23862
    title GLSA-200612-10 : Tar: Directory traversal vulnerability
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1223.NASL
    description Teemu Salmela discovered a vulnerability in GNU tar that could allow a malicious user to overwrite arbitrary files by inducing the victim to attempt to extract a specially crafted tar file containing a GNUTYPE_NAMES record with a symbolic link.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 23765
    published 2006-12-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23765
    title Debian DSA-1223-1 : tar - input validation error
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-385-1.NASL
    description Teemu Salmela discovered that tar still handled the deprecated GNUTYPE_NAMES record type. This record type could be used to create symlinks that would be followed while unpacking a tar archive. If a user or an automated system were tricked into unpacking a specially crafted tar file, arbitrary files could be overwritten with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 27968
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27968
    title Ubuntu 5.10 / 6.06 LTS / 6.10 : tar vulnerability (USN-385-1)
oval via4
accepted 2013-04-29T04:10:18.270-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216.
family unix
id oval:org.mitre.oval:def:10963
status accepted
submitted 2010-07-09T03:56:16-04:00
title GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216.
version 23
redhat via4
advisories
bugzilla
id 216937
title CVE-2006-6097 GNU tar directory traversal
oval
OR
  • AND
    • comment Red Hat Enterprise Linux 3 is installed
      oval oval:com.redhat.rhsa:tst:20060015001
    • comment tar is earlier than 0:1.13.25-15.RHEL3
      oval oval:com.redhat.rhsa:tst:20060749002
    • comment tar is signed with Red Hat master key
      oval oval:com.redhat.rhsa:tst:20060749003
  • AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhsa:tst:20060016001
    • comment tar is earlier than 0:1.14-12.RHEL4
      oval oval:com.redhat.rhsa:tst:20060749005
    • comment tar is signed with Red Hat master key
      oval oval:com.redhat.rhsa:tst:20060749003
rhsa
id RHSA-2006:0749
released 2006-12-19
severity Moderate
title RHSA-2006:0749: tar security update (Moderate)
rpms
  • tar-0:1.13.25-15.RHEL3
  • tar-0:1.14-12.RHEL4
refmap via4
apple APPLE-SA-2007-03-13
bid 21235
bugtraq
  • 20061201 rPSA-2006-0222-1 tar
  • 20070330 VMSA-2007-0002 VMware ESX security updates
cert TA07-072A
confirm
debian DSA-1223
freebsd FreeBSD-SA-06:26
fulldisc 20061121 GNU tar directory traversal
gentoo GLSA-200612-10
mandriva MDKSA-2006:219
misc https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216937
openpkg OpenPKG-SA-2006.038
sectrack 1017423
secunia
  • 23115
  • 23117
  • 23142
  • 23146
  • 23163
  • 23173
  • 23198
  • 23209
  • 23314
  • 23443
  • 23514
  • 23911
  • 24479
  • 24636
sgi 20061202-01-P
slackware SSA:2006-335-01
sreason 1918
trustix 2006-0068
ubuntu USN-385-1
vupen
  • ADV-2006-4717
  • ADV-2006-5102
  • ADV-2007-0930
  • ADV-2007-1171
statements via4
contributor Mark J Cox
lastmodified 2007-03-14
organization Red Hat
statement Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Last major update 07-03-2011 - 21:45
Published 24-11-2006 - 13:07
Last modified 17-10-2018 - 17:46
Back to Top