CVE-2023-36664: Ghostscript %pipe% device popen() command injection

Ghostscript (ghostpdl <= 10.01.1) exposes a %pipe% IODevice that maps PostScript filenames of the form '%pipe%' or '|' to popen(). The validation in base/gdevpipe.c:pipe_fopen builds the synthetic strings '%pipe%' and '|' and feeds them to gp_validate_path(), which runs gp_file_name_reduce() and matches against the SAFER permit list as if they were filesystem paths. The path-vs-command type confusion means SAFER does not block them, and on systems where path_control_active==0 the check is a no-op. fs_file_open_pipe() then calls popen((char*)fname, mode) with attacker-controlled fname, achieving RCE. Real-world impact: ImageMagick auto-invokes gs on EPS uploads, so a crafted EPS gives RCE on any web service that thumbnails uploads.