[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Using NSS (Netscape Security Services) in setuid programs
From:       Florian Weimer <fw () deneb ! enyo ! de>
Date:       2009-08-22 12:22:07
Message-ID: 87r5v49gy8.fsf () mid ! deneb ! enyo ! de
[Download RAW message or body]

NSS (the crypto library from Mozilla) uses environment variables to
enable various dodgy features which no longer seem good ideas.
Obviously, this is a problem when the library is used in a context
where the attacker can set environment variables.  For instance, if a
PAM module uses NSS to establish a TLS connection for authentication
purposes, this allows a local attacker to enable features which make
it easier to impersonate the authentication server.

I couldn't find any programs which might suffer from such a problem,
though.
[prev in list] [next in list] [prev in thread] [next in thread]