[daveloyall]

Yeah, it's a feature, working as intended.

This is how you define a shell function and then use it in sub-scripts.

As the author noted, using this as an exploit requires control of the variable names, and common tools (httpd, dhclient, etc) that set variables in environment have explicit naming conventions in place to prevent this.

To be clear: I'll change my tune if someone finds a way to exploit this remotely.

[bodyfour]

Yes, if you have full control over the environment you can make all sorts of havoc ($PATH, $LD_PRELOAD, ...) What made shellshock special is that you only needed to control the value of a variable, not its name.

I don't see how this qualifies as much of a vulnerability. Maybe now that bash's imported-function feature is better known we'll see it leveraged as part of a multi-step attack though.