CVE-2014-7169: Shellshock bypass via unvalidated function names in non-POSIX mode

CVE-2014-7169 is an incomplete fix for Shellshock (CVE-2014-6271) in Bash. The original vulnerability allowed arbitrary code execution through malformed function definitions in environment variables. The initial Shellshock patch added a check for '() {' at the start of environment variable values. However, the incomplete patch fails to validate function names containing shell metacharacters (backticks, $(), etc.) in non-POSIX mode, allowing these metacharacters to be interpreted by the shell parser when the function is imported.",antml:parameter> Located the vulnerability in variables.c, function initialize_shell_variables. The function imports function definitions from environment variables as part of shell initialization. Line 374 checks STREQN('() {', string, 4) to detect function definitions (Shellshock patch). However, line 394 contains the flaw: if (absolute_program (tname) == 0 && (posixly_correct == 0 || legal_identifier (tname))). In non-POSIX mode (default), posixly_correct is false, causing the OR condition to short-circuit and skip legal_identifier validation. This allows function names with shell metacharacters to be passed to parse_and_execute at line 395, where they are interpreted by the shell parser.",antml:parameter> api_change