"The ruby handlers in Amarok do not properly quote text in certain contexts,
probably including construction of an unzip command line, which allows attackers
to execute arbitrary commands via shell metacharacters."
Not clear to me which, if any, versions of amarok in FE or upstream are
affected. The referenced bugs.kde.org entry is open and there are no comments
at the moment.
Bug fixed in amarok SVN, backported to amarok-1.4.5-2 and rebuilt for devel,
FC-6 and FC-5.
For reference : http://bugs.kde.org/show_bug.cgi?id=138499