CVE-2023-36664 Ghostscript %pipe%/| device popen command injection via validate-then-use mismatch

Ghostscript ≤10.01.1 lets attacker-controlled PostScript filenames reach popen(). In base/gdevpipe.c::pipe_fopen() the code validates two prefixed forms of fname ('%pipe%'+fname and '|'+fname) via gp_validate_path() with OR logic — if either call returns 0 the operation proceeds. It then passes the raw, unprefixed fname to fs_file_open_pipe(), which calls popen((char*)fname, mode) (gdevpipe.c:55). gp_validate_path_len() (gpmisc.c:1084) for paths starting with '|' or '%pipe' skips gp_file_name_reduce() and matches the literal string against the same permission lists used for normal files, so a permissive read/write rule can implicitly authorise pipe execution. With -dSAFER and crafted EPS/PS (or sOutputFile='%pipe%id; ...'), the shell metacharacters in fname are executed by /bin/sh -c with no sanitisation. Trigger paths include thumbnailers (ImageMagick, evince, LibreOffice) that shell out to gs on untrusted documents. Bug class: command-injection / restricted-bypass.