NSS (the crypto library from Mozilla) uses environment variables to enable various dodgy features which no longer seem good ideas. Obviously, this is a problem when the library is used in a context where the attacker can set environment variables. For instance, if a PAM module uses NSS to establish a TLS connection for authentication purposes, this allows a local attacker to enable features which make it easier to impersonate the authentication server. One such binary was reported in: https://bugzilla.redhat.com/show_bug.cgi?id=1250415#c1 Another binaries were found by Florian Weimer: /sbin/mount.ecryptfs_private /usr/bin/ssh-agent /usr/libexec/openssh/ssh-keysign /usr/bin/staprun There might be PAM/NSS (glibc Name Service Switch) modules affected, particularly older ones. The main question is whether we want to migrate NSS to secure_getenv, or fix all callers individually. CVE request: https://bugzilla.mozilla.org/show_bug.cgi?id=1194680
Created nss tracking bugs for this issue: Affects: fedora-all [bug 1253747]