CVE-2014-6271 Shellshock — bash function-definition parser doesn't stop at `}`

Bash imports exported function definitions from environment variables by feeding the entire env var value to parse_and_execute(). The parser keeps consuming input past the function body's closing brace, so any trailing shell commands run during shell initialization with the privileges of the bash invocation. Reachable from any process that spawns bash with attacker-controlled env vars (CGI scripts, DHCP clients, OpenSSH ForceCommand, etc.). CVE-2014-6271 (Shellshock): Bash imports exported function definitions from environment variables by feeding the entire env var value to parse_and_execute(). The parser keeps consuming input past the function body's closing brace, so any trailing shell commands run during shell initialization with the privileges of the bash invocation. In bash-4.3, grep for initialize_shell_variables -> variables.c:319. The function loops over env entries; line 352 detects values starting with () { (the exported function marker). It reconstructs name () {...body...} into temp_string and calls parse_and_execute(temp_string, name, SEVAL_NONINT|SEVAL_NOHIST) at line 362. Critical bug: parse_and_execute is a general shell parser/executor, not restricted to function definitions — once it consumes the () { ...; } definition, it continues parsing/executing any commands that follow in the same string. PoC: env x='() { :;}; echo VULNERABLE' bash -c : prints VULNERABLE. Use a restricted parser mode that only accepts a single function definition and rejects any trailing input. Upstream patches added SEVAL_FUNCDEF and SEVAL_ONECMD flags to parse_and_execute, plus moved function-import to specially-prefixed env var names (BASH_FUNC_name%%) so arbitrary env vars no longer trigger the function-import path.