[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Using NSS (Netscape Security Services) in setuid programs
From: Florian Weimer <fw () deneb ! enyo ! de>
Date: 2009-08-22 12:22:07
Message-ID: 87r5v49gy8.fsf () mid ! deneb ! enyo ! de
[Download RAW message or body]
NSS (the crypto library from Mozilla) uses environment variables to
enable various dodgy features which no longer seem good ideas.
Obviously, this is a problem when the library is used in a context
where the attacker can set environment variables. For instance, if a
PAM module uses NSS to establish a TLS connection for authentication
purposes, this allows a local attacker to enable features which make
it easier to impersonate the authentication server.
I couldn't find any programs which might suffer from such a problem,
though.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic