Funny Command Injection in Pidgin

Today @_ikki tweet about this funny "fail" bug.Pidgins knotify plugin have remote command injection vulnerability. When you type some commands to your victim its executed with current users local priveliges. Its funny!! :>

--[src/pidgin-knotify.c:71-74]--
command = g_strdup_printf("kdialog --title '%s' --passivepopup '%s' %d", title,
body, timeout);
[...]
result = system(command);
--snip--


Exploitation:
Type your friend who use knotifies old version --> ';COMMAND;'

Reference:
https://bugs.gentoo.org/show_bug.cgi?id=336916