Red Hat Bugzilla – Bug 1253692
CVE-2006-4842 nspr: setuid root programs linked with NSPR allow elevation of privilege
Last modified: 2015-08-14 10:30:33 EDT
NSPR logging is controlled with a couple of environment variables,
one to enable it, and a second to control the name of the log file.
This appears to all work in "optimized" (non-debug) builds.
So, if any setuid root program is linked with NSPR, any user can clobber
any file on the system (any root writable file) by setting NSPR's
environment variables to log to that file, and then running a setuid root
program linked with NSPR.