CVE-2006-6097

GNU tar 1.15.1-1.16 - Arbitrary File Overwrite via GNUTYPE_NAMES Symbolic Link

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-6097. PoCs published by Teemu Salmela.

AI-analyzed exploit summary This exploit generates a malicious GNU Tar archive that leverages directory traversal (CVE-2006-6097) to create a symlink pointing to an arbitrary location. The PoC demonstrates how an attacker can overwrite or place files in unintended directories during archive extraction.

Description

GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Teemu Salmela · cremotelinux
https://www.exploit-db.com/exploits/29160

This exploit generates a malicious GNU Tar archive that leverages directory traversal (CVE-2006-6097) to create a symlink pointing to an arbitrary location. The PoC demonstrates how an attacker can overwrite or place files in unintended directories during archive extraction.

Classification
Working Poc 100%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: GNU Tar (versions affected by CVE-2006-6097)
No auth needed
Prerequisites: Ability to deliver a malicious tar archive to the victim · Victim must extract the archive
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (43)

Core 43
Core References
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA07-072A.html
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/usn-385-1
Vendor Advisory vendor-advisory x_refsource_trustix
http://www.trustix.org/errata/2006/0068/
Issue Tracking x_refsource_confirm
https://issues.rpath.com/browse/RPL-821
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/23117
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10963
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/1918
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/21235
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/23146
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2007/Mar/msg00002.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/23209
Vendor Advisory x_refsource_confirm
http://docs.info.apple.com/article.html?artnum=305214
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/5102
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/23142
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/23314
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/1171
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200612-10.xml
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/23198
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/23115
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/453286/100/0/threaded
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/23911
Vendor Advisory vendor-advisory x_refsource_sgi
ftp://patches.sgi.com/support/free/security/advisories/20061202-01-P.asc
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/464268/100/0/threaded
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/23173
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2006-0749.html
Various Sources vendor-advisory x_refsource_freebsd
http://security.freebsd.org/advisories/FreeBSD-SA-06:26.gtar.asc
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1017423
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/24636
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2006/dsa-1223
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/0930
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/23443
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDKSA-2006:219
Vendor Advisory vendor-advisory x_refsource_openpkg
http://www.openpkg.com/security/advisories/OpenPKG-SA-2006.038.html
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/4717
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/23514
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/24479
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/23163

Scores

EPSS 0.1075
EPSS Percentile 95.3%

Details

Status published
Products (2)
gnu/tar 1.15.1
gnu/tar 1.16
Published Nov 24, 2006
Tracked Since Feb 18, 2026