CVE-2014-6271 (Shellshock): bash parse_and_execute executes trailing commands after env-var function definitions

In bash 4.3, during shell initialization, bash imports function definitions from environment variables. The function initialize_shell_variables() in variables.c detects env vars whose value starts with "() {" and calls parse_and_execute() on a constructed string of the form "NAME () { body }". The critical flaw: parse_and_execute() is a general-purpose evaluator that runs ALL commands in the string — not just the function definition. There is no flag passed to restrict execution to function definitions only. If an attacker can set an environment variable like: EVIL='() { :;}; /bin/malicious_cmd', bash will define the function AND execute /bin/malicious_cmd on startup. This affects any program that invokes bash as a subprocess with attacker-controlled environment variables (CGI scripts via Apache/nginx, SSH ForceCommand, etc.).