An environment variable called LD_LIBRARY_PATH was created to specify an alternate library path to search for dynamic libraries in. So if an attacker can get a root process to look elsewhere for its library some pretty interesting things can happen.
An old example of this was with telnetd. Telnet has a facility to pass environment variables across a connection. This allows you to pass the LD_LIBRARY_PATH variable over to your new connection. This will get passed to login (a suid program) which will then link in the new library. You can then modify the library accordingly to act in a different manner.
So, if you have important programs you should consider statically linking them at compile time.