It should not be possible to execute code placed in a .info file. However, since .info values are often displayed to the user it is possible to execute javascript.
There are situations where this is a little nasty. For example, it is possible to add javascript into a module's .info file that can automatically install the module when the user visits the /admin/build/modules
page. A line of .info that could do this:
package = "Bad judgement<script type='text/javascript'>if($('#edit-status-mymodule').attr('checked')!=true){$('#edit-status-mymodule').attr('checked','checked');$('#edit-status-mymodule').parents('form').submit();}</script>"
I've attached a one-liner patch that will cause all .info values to be run through filter_xss(). Please note that this has already been reviewed by the security team and this patch is considered a non-critical hardening.
Edit by greggles: this does not need to be handled as a security bug. If someone can write malicious code to your .info files you are already screwed from a security perspective. This is just a hardening and can be handled publicly.