Amarok: User-assisted remote execution of arbitrary code

2007-03-13T00:00:00
ID GLSA-200703-11
Type gentoo
Reporter Gentoo Foundation
Modified 2007-03-13T00:00:00

Description

Background

Amarok is an advanced music player.

Description

The Magnatune downloader doesn't quote the "m_currentAlbumFileName" parameter while calling the "unzip" shell command.

Impact

A compromised or malicious Magnatune server can remotely execute arbitrary shell code with the rights of the user running Amarok on a client that have previously registered for buying music.

Workaround

Do not use the Magnatune component of Amarok.

Resolution

All Amarok users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-sound/amarok-1.4.5-r1"