CVE-2014-7169 — incomplete Shellshock fix in bash 4.3-p25 (variables.c initialize_shell_variables -> parse_and_execute)

CVE-2014-7169 is the follow-up bypass to CVE-2014-6271 (Shellshock) in GNU bash 4.3-p25. The original patch wraps imported environment-function bodies as name () { body } and feeds them to parse_and_execute(), but it does NOT constrain the parser to a single function definition. Crafted bodies like () { (a)=>\\ leave residual parser/redirection state, so the next bash read is captured as a redirection target — letting an attacker write attacker-chosen content to attacker-chosen files (and from there, achieve code execution). The vulnerable site is variables.c:initialize_shell_variables, lines 352–388, specifically the call parse_and_execute(temp_string, name, SEVAL_NONINT|SEVAL_NOHIST) on line 362, which lacks the SEVAL_FUNCDEF and SEVAL_ONECMD flags the upstream fix later added. Additionally, legal_identifier(name) is only consulted under posixly_correct, so non-identifier names are accepted by default.