Please see:
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html