CVE-2019-9924: bash rbash escape via fall-back script interpretation and BASH_CMDS

Bash <= 5.0 restricted shell (rbash) can be bypassed because shell_execve (execute_cmd.c:5785-5788) unconditionally calls change_flag('r', FLAG_OFF) when bash falls back to interpreting a file whose execve() failed with ENOEXEC. The forked subshell that interprets the script therefore runs WITHOUT rbash restrictions: PATH/SHELL/ENV become writable, slashes in command names are allowed, exec/cd/redirection work, etc. The behavior is even documented in repo file RBASH lines 34-36. Related historical vector (CVE-2019-9924's BASH_CMDS path, fixed pre-bash-4.4-beta2 in variables.c:assign_hashcmd lines 1764-1785): writing BASH_CMDS[name]=/path/to/binary populated the command hash table directly, letting the rbash user run arbitrary binaries. Bug class: restricted-bypass.