Amarok: User-assisted remote execution of arbitrary code

1. Gentoo Linux Security Advisory

Advisory Reference	GLSA 200703-11 / amarok
Release Date	March 13, 2007
Latest Revision	March 13, 2007: 01
Impact	normal
Exploitable	remote

Package	Vulnerable versions	Unaffected versions	Architecture(s)
media-sound/amarok	< 1.4.5-r1	>= 1.4.5-r1	All supported architectures

Related bugreports: #166901

Synopsis

The Magnatune component shipped with Amarok is vulnerable to the injection of arbitrary shell code from a malicious Magnatune server.

2. Impact Information

Background

Amarok is an advanced music player.

Description

The Magnatune downloader doesn't quote the "m_currentAlbumFileName" parameter while calling the "unzip" shell command.

Impact

A compromised or malicious Magnatune server can remotely execute arbitrary shell code with the rights of the user running Amarok on a client that have previously registered for buying music.

3. Resolution Information

Workaround

Do not use the Magnatune component of Amarok.

Resolution

All Amarok users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-sound/amarok-1.4.5-r1"

4. References

SA24159

Updated March 13, 2007

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.