CVE-2023-43115 — Ghostscript IJS device bypasses SAFER for OutputFile and IjsServer

Ghostscript's IJS device handler (devices/gdevijs.c::gsijs_open, ~lines 767-882) bypasses the -dSAFER sandbox. The IjsServer parameter is exec'd via ijs_invoke_server() (line 822) and the OutputFile path (ijsdev->fname) is forwarded to the IJS server via ijs_client_set_param(ctx, 0, "OutputFile", ...) (line 855-856) with no gp_validate_path() check. This permits arbitrary file write (path-traversal with ../) and arbitrary command execution from a PostScript stream, even when -dSAFER is set. The only gating is dev->LockSafetyParams in gsijs_put_params, which merely blocks changes to the param after the device is locked — it does not consult the SAFER permitted_writes/permitted_reads lists. IjsParams (a comma-separated key=value list) is also forwarded unfiltered to the server, so OutputFile can be smuggled there too.