Amarok: User-assisted remote execution of arbitrary code — GLSA 200703-11

The Magnatune component shipped with Amarok is vulnerable to the injection of arbitrary shell code from a malicious Magnatune server.

Affected packages

media-sound/amarok on all architectures
Affected versions < 1.4.5-r1
Unaffected versions >= 1.4.5-r1

Background

Amarok is an advanced music player.

Description

The Magnatune downloader doesn't quote the "m_currentAlbumFileName" parameter while calling the "unzip" shell command.

Impact

A compromised or malicious Magnatune server can remotely execute arbitrary shell code with the rights of the user running Amarok on a client that have previously registered for buying music.

Workaround

Do not use the Magnatune component of Amarok.

Resolution

All Amarok users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-sound/amarok-1.4.5-r1"

References

Release date
March 13, 2007

Latest revision
March 13, 2007: 01

Severity
normal

Exploitable
remote

Bugzilla entries