CVE-2014-7169: Shellshock secondary command-injection via invalid function identifiers

CVE-2014-7169 is a secondary Shellshock vulnerability in bash-4.3-p25. The incomplete fix for the original Shellshock (CVE-2014-6271) attempted to prevent arbitrary code execution via environment variable function imports by checking if values start with '() {'. However, the validation of function names extracted from environment variable names is insufficient. When posixly_correct is 0 (the default), the legal_identifier check is skipped due to short-circuit evaluation in a conditional, allowing function names to contain shell metacharacters like backticks or command substitution syntax. An attacker can craft an environment variable like BASH_FUNC_malicious_command%%='() { code }' which will be parsed as malicious_command () { code } and cause the backticks to be evaluated as shell commands during initialization.