CVE-2014-7169 — bash secondary Shellshock parser-state leak via env function import

Incomplete fix for CVE-2014-6271 leaves a command-injection vector in bash 4.3 reachable through environment variables of the form BASH_FUNC_%%='() { ...'. The function body is parsed via parse_and_execute, and a malformed body causes the YACC parser to bail mid-statement, leaving tokens (e.g. >\\) in persistent global lexer state (eol_ungetc_lookahead, shell_input_line, here_doc state). The next parse — typically the user's -c SCRIPT argument — inherits that leaked state, so an attacker-supplied env var corrupts the next command's parse and creates files / triggers redirection injection.