If the shell command can be injected seems only depend on how the Musikplayers store their data.
The Gmusicbrowser Unity Scope seems to be lucky because the gmusicbrowser player changes special chars in the name before it stores it in his database. The Audacious Scope and Clementine Scope are not so lucky. I attached a screenshot where you can see the differences. ** Attachment added: "db.png" https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+attachment/4454462/+files/db.png -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1483037 Title: Possible Shell Command Injection in daemon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unity-scope-audacious/+bug/1483037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs