CVE-2023-43115: Ghostscript IJS device SAFER sandbox bypass via path traversal + command injection

In Ghostscript through 10.01.2 (ghostpdl-10.01.2), the IJS printer device handler in devices/gdevijs.c contains a SAFER sandbox bypass. The gsijs_open() function (lines 767-882) has two related issues:\n\n1. PATH TRAVERSAL: At line 793, gsijs_open sets OpenOutputFile=false by default, which causes gdev_prn_open() to skip calling gdev_prn_open_printer(). That skip bypasses all of Ghostscript's SAFER mode file-write access control checks. The output filename (ijsdev->fname) is then forwarded raw to the external IJS server subprocess at lines 854-856 via ijs_client_set_param(ctx, 0, 'OutputFile', ijsdev->fname, ...). The external IJS server writes to this path without any SAFER restrictions.\n\n2. COMMAND INJECTION: At line 822, gsijs_open calls ijs_invoke_server(ijsdev->IjsServer) WITHOUT checking dev->LockSafetyParams (SAFER mode flag). A comment warns 'use -dSAFER' but provides no enforcement. The IjsServer string is passed to sh -c in ijs/ijs_exec_unix.c lines 72-78 (execvp('sh', ['sh', '-c', server_cmd])), enabling shell injection for any server_cmd set before SAFER activates. The gsijs_put_params does check LockSafetyParams to block CHANGES to IjsServer at runtime, but the EXECUTION of the already-stored value has no SAFER check.