CVE-2023-43115: Ghostscript IJS device path-traversal/sandbox-escape via subprocess file delegation

CVE-2023-43115 in Ghostscript (ghostpdl-10.01.2). The IJS printer device handler in devices/gdevijs.c allows writing output to arbitrary paths and executing arbitrary commands, bypassing the -dSAFER sandbox. Two linked flaws in gsijs_open():

1. PATH TRAVERSAL: When IjsUseOutputFD=false (default), gsijs_open sets OpenOutputFile=false (line 793) so Ghostscript itself never opens the output file. This completely skips SAFER file-path validation. The raw fname (user-controlled, may contain ../) is then sent verbatim to the IJS server subprocess via ijs_client_set_param(ctx, 0, "OutputFile", ijsdev->fname, strlen(ijsdev->fname)) at lines 855-856. The IJS server runs OUTSIDE the SAFER sandbox and writes to whatever path it receives.

2. COMMAND INJECTION: Line 822 calls ijs_invoke_server(ijsdev->IjsServer) with no SAFER/LockSafetyParams check (only a comment warning). In ijs/ijs_exec_unix.c, the server is launched as execvp("sh", ["sh", "-c", server_cmd, NULL]) — so any shell metacharacters in IjsServer execute arbitrary commands. While gsijs_put_params prevents PostScript from changing IjsServer when SAFER is active, there is no check in gsijs_open itself.