CVE-2014-6271 Shellshock: bash parse_and_execute consumes trailing commands after function-definition env import

CVE-2014-6271 (Shellshock) in bash <=4.3. On startup, initialize_shell_variables() in variables.c iterates the process environment. For any environment variable whose VALUE begins with the literal prefix '() {' (detected via STREQN("() {", string, 4)), bash treats the value as an exported shell-function definition: it builds a synthetic source string of the form 'NAME () { body; }' and passes it to parse_and_execute(temp_string, name, SEVAL_NONINT|SEVAL_NOHIST). The parser does NOT stop at the closing brace of the function body — it continues tokenizing and EXECUTING any commands appended after the '}'. Because env vars are attacker-controlled across many surfaces (CGI HTTP_* headers, DHCP option strings, sshd ForceCommand SSH_ORIGINAL_COMMAND, etc.), an unauthenticated remote attacker can achieve RCE as the bash user by injecting () { :;}; <command> into any header/value that becomes an env var of a shell that subsequently runs. 1. Briefing pointed at command-injection in bash with call chain main -> shell_initialize -> initialize_shell_variables -> parse_and_execute. 2. grep -rn initialize_shell_variables repos/bash/ -> hit variables.c:319 and shell.c. 3. Read variables.c lines 319-440. 4. The vulnerable region is lines 350-388: branch is taken when privmode == 0 && read_but_dont_execute == 0 && STREQN(\"() {\", string, 4). 5. xmalloc'd temp_string is built as 'NAME' + ' ' + value (which starts with '() {...'), producing the syntactic form 'NAME () { body; }TRAILING'. 6. parse_and_execute(temp_string, name, SEVAL_NONINT|SEVAL_NOHIST) on line 362 runs the entire string through bash's normal parser, which happily tokenizes commands AFTER the function body's closing brace and runs them in the current shell. 7. The CWRU/changelog and a sibling cve_2014_7169_exploit.c file in the repo confirmed the bug area.