CVE-2019-9924: bash rbash restricted-bypass via BASH_CMDS / assign_hashcmd

CVE-2019-9924 is a restricted-shell (rbash) bypass in bash 5.0 (PATCHLEVEL 0). The vulnerability is in assign_hashcmd (variables.c:1757-1788), which handles BASH_CMDS associative-array assignments. In the vulnerable version the function has NO restricted-shell guard at all, so BASH_CMDS[a]=/bin/sh; a immediately escapes rbash by inserting a path-containing value straight into the command hash table.

Even with a partial guard added in bash-5.0-alpha ('aaaa' fix: validates value has no '/', finds it via PATH), the function still calls phash_insert(key, value, 0, 0) with the bare name (e.g., 'bash') rather than the resolved absolute path. This triggers HASH_RELPATH in phash_insert (hashcmd.c:116-117), causing phash_search to try ./value first. If a script named ./bash exists in CWD, shell_execve executes it and at execute_cmd.c:5786-5787 explicitly calls change_flag('r', FLAG_OFF), stripping restricted mode before reinvoking the shell. Even without ./bash, executing a hash-remapped entry that resolves to the 'bash' binary (not 'rbash') spawns an unrestricted shell.

Secondary component: shell_execve (execute_cmd.c:5785-5788) always clears the restricted flag when executing text-file shell scripts (no #! header), and the RBASH docs even document this: 'rbash turns off any restrictions in the shell spawned to execute the script.'