This is one of the dumbest and most dangerous bugs I’ve ever heard of. From the KDE security list:
When a vfat thumbdrive which contains “ or $() in its volume label is plugged and mounted trough the device notifier, it’s interpreted as a shell command, leaving a possibility of arbitrary commands execution. an example of offending volume label is “$(touch b)” which will create a file called b in the home folder.
It’s jaw-dropping.