CVE-2023-43115: Ghostscript IJS device bypasses SAFER sandbox for output file path traversal

In Ghostscript's IJS device (devices/gdevijs.c), the gsijs_open() function deliberately sets OpenOutputFile=false to let the IJS server subprocess handle the output file. This bypasses Ghostscript's normal sandboxed file I/O (gx_device_open_output_file / gp_open_printer) which enforces gs_permit_file_writing restrictions under SAFER mode. The output filename (fname) is then forwarded directly to the IJS server via ijs_client_set_param(), and the IJS server subprocess opens the file using unrestricted OS file I/O — completely outside the SAFER sandbox. An attacker can specify -sOutputFile=../../etc/cron.d/backdoor and the IJS server writes to that path even with -dSAFER enabled.