This is another instance of a highly priviledged operator being accessible by specially crafted Postscript code, that can be used to break out of the -dSAFER limitations. It was found that .forceput operator was present and unprotected in the .charkeys method and could be retrieved via manipulation of the error handler. The .charkeys method was vulnerable since ghostscript-9.15, in one way or another: the privileged operator was superexec instead of .forceput until a more recent version.