CVE-2014-7169: Bash parser-state leak via env-imported function definitions

CVE-2014-7169 is the incomplete fix for Shellshock (CVE-2014-6271) in bash <= 4.3p25. initialize_shell_variables() in variables.c imports any environment value beginning with '() {' as a function definition by concatenating 'name () {body}' and passing the whole string to parse_and_execute(). The first patch blocked direct trailing commands ('() {:;}; id') but did not constrain the parser to a single function-definition production and did not reset ambient parser state (redir_stack, pending here-docs). A malformed function body such as () { (a)=>\ makes the parser consume >\ as a redirection that leaks into the next command bash runs, giving arbitrary file write / command execution to anything that exec()s bash with attacker-controlled environment (CGI, DHCP scripts, sshd ForceCommand, qmail). 1) Followed the call-chain hint main -> shell_initialize -> initialize_shell_variables -> parse_and_execute. 2) grep -n initialize_shell_variables -> variables.c:319. 3) Read variables.c lines 319-440: confirmed the env-walk loop, the STREQN("() {", string, 4) gate at line 352, the malloc+strcpy that builds 'name () { body }' at lines 355-359, and the unrestricted parse_and_execute(temp_string, name, SEVAL_NONINT|SEVAL_NOHIST) at line 362. 4) Read builtins/evalstring.c parse_and_execute starting line 190: confirmed it loops with_input_from_string(string,...); while(*(bash_input.location.string)) parse_command() (lines 229-230, 299) so it keeps consuming trailing tokens past the function body and never validates that what was parsed is a pure function definition. 5) Cross-referenced with the public PoC env X='() { (a)=>\' bash -c "echo date"; cat echo.