http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6979 "The ruby handlers in Amarok do not properly quote text in certain contexts, probably including construction of an unzip command line, which allows attackers to execute arbitrary commands via shell metacharacters." Not clear to me which, if any, versions of amarok in FE or upstream are affected. The referenced bugs.kde.org entry is open and there are no comments at the moment.
Bug fixed in amarok SVN, backported to amarok-1.4.5-2 and rebuilt for devel, FC-6 and FC-5. For reference : http://bugs.kde.org/show_bug.cgi?id=138499