CVE-2023-43115 Ghostscript IJS device SAFER bypass via IjsServer / sh -c

Ghostscript's IJS device (devices/gdevijs.c) lets a PostScript/PDF or CLI invocation set the IjsServer device parameter. gsijs_open at line 822 passes this unchecked string to ijs_invoke_server, which on Unix runs execvp("sh","-c",IjsServer,NULL) (ijs/ijs_exec_unix.c:73-78). No call to gp_validate_path / gs_add_control_path is made on either IjsServer or the output filename, so the SAFER permitted-paths sandbox (-dSAFER, --permit-file-*) is never consulted. An attacker controlling IjsServer therefore obtains arbitrary command execution and arbitrary file write — including ../ traversal — even with -dSAFER.