Using NSS (Netscape Security Services) in setuid programs

[Florian Weimer <fw () deneb enyo de>]

NSS (the crypto library from Mozilla) uses environment variables to
enable various dodgy features which no longer seem good ideas.
Obviously, this is a problem when the library is used in a context
where the attacker can set environment variables.  For instance, if a
PAM module uses NSS to establish a TLS connection for authentication
purposes, this allows a local attacker to enable features which make
it easier to impersonate the authentication server.

I couldn't find any programs which might suffer from such a problem,
though.