CVE-2023-43115: Ghostscript IJS device bypasses -dSAFER (path-traversal + RCE)

CVE-2023-43115 — Ghostscript (ghostpdl <= 10.01.2) ships an IJS print device (devices/gdevijs.c) that lets an attacker bypass the -dSAFER sandbox in two ways from a crafted PostScript/PDF document or a single gs command line: (a) write rendered output to ARBITRARY paths via path-traversal, and (b) execute arbitrary shell commands. The IJS device parameters IjsServer, IjsParams, DeviceManufacturer, DeviceModel and OutputFile are not subjected to the gp_validate_path / --permit-file-* allowlists that guard the rest of Ghostscript's I/O. Exploit example: gs -dSAFER -sDEVICE=ijs -sIjsServer='id > /tmp/pwn' -sOutputFile=/tmp/x in.ps — the IjsServer string is handed straight to sh -c by ijs/ijs_exec_unix.c, and the OutputFile path is forwarded verbatim to the spawned IJS server which writes wherever it's told (e.g. ../../../../etc/passwd).