You should play MP3s only from trusted sources
Playing an MP3 created by a hacker may allow a hacker to take control of a system. This applies only to MP3s which are placed on the list of MP3s to play (in mp3.txt).
RobX uses Allegro MP3, which is built with some code from MPG-123. MPG-123 has announced a potential security breach
which affects their code.
Gentoo Linux says:
By inducing a user to play a malicious file, an attacker may be able to exploit a buffer overflow to execute arbitrary code with the permissions of the user running mpg123.