National Vulnerability Database

National Vulnerability Database

National Vulnerability

CVE-2006-6097 Detail


GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216.

Source:  MITRE      Last Modified:  11/24/2006

Quick Info

CVE Dictionary Entry:
Original release date:
Last revised:


CVSS Severity (version 2.0):
CVSS v2 Base Score:
(AV:N/AC:H/Au:N/C:N/I:P/A:P) (legend)
Impact Subscore:
Exploitability Subscore:
CVSS Version 2 Metrics:
Access Vector:
Network exploitable - Victim must voluntarily interact with attack mechanism
Access Complexity:
Not required to exploit
Impact Type:
Allows unauthorized modification; Allows disruption of service

Vendor Statements (disclaimer)

Official Statement from Red Hat (03/14/2007)

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to

Hyperlink Resource Type Source Name External Source SGI 20061202-01-P External Source CONFIRM External Source CONFIRM External Source APPLE APPLE-SA-2007-03-13 Exploit External Source FULLDISC 20061121 GNU tar directory traversal External Source REDHAT RHSA-2006:0749 External Source FREEBSD SA-06:26 External Source GENTOO GLSA-200612-10 External Source SREASON 1918 External Source SECTRACK 1017423 External Source SLACKWARE SSA:2006-335-01 External Source CONFIRM External Source DEBIAN DSA-1223 External Source MANDRIVA MDKSA-2006:219 External Source OPENPKG OpenPKG-SA-2006.038 External Source BUGTRAQ 20061201 rPSA-2006-0222-1 tar External Source BUGTRAQ 20070330 VMSA-2007-0002 VMware ESX security updates Exploit External Source BID 21235 External Source TRUSTIX 2006-0068 External Source UBUNTU USN-385-1 US Government Resource External Source CERT TA07-072A External Source CONFIRM External Source VUPEN ADV-2006-4717 External Source VUPEN ADV-2006-5102 External Source VUPEN ADV-2007-0930 External Source VUPEN ADV-2007-1171 Exploit External Source MISC External Source CONFIRM External Source OVAL oval:org.mitre.oval:def:10963

References to Check Content

Check System:

Technical Details

Vulnerability Type (View All)

Change History 2 change records found - show changes