This is well worth fixing. A lot of software calls system() or doesn't vet the environment variables passed to execve(). Some of those programs will be network connected (perhaps CGI programs). As a result this bug is remotely exploitable via particular network-facing applications. -glen