oss-sec mailing list archives
Using NSS (Netscape Security Services) in setuid programs
From: Florian Weimer <fw () deneb enyo de>
Date: Sat, 22 Aug 2009 14:22:07 +0200
NSS (the crypto library from Mozilla) uses environment variables to enable various dodgy features which no longer seem good ideas. Obviously, this is a problem when the library is used in a context where the attacker can set environment variables. For instance, if a PAM module uses NSS to establish a TLS connection for authentication purposes, this allows a local attacker to enable features which make it easier to impersonate the authentication server. I couldn't find any programs which might suffer from such a problem, though.
Current thread:
- Using NSS (Netscape Security Services) in setuid programs Florian Weimer (Aug 22)