GHSA-mxhj-88fx-4pcv: Fickling: OBJ opcode call invisibility bypasses all safety checks

All 5 of fickling’s safety interfaces – is_likely_safe(), check_safety(), CLI --check-safety, always_check_safety(), and the check_safety() context manager – report LIKELY_SAFE / raise no exceptions for pickle files that use the OBJ opcode to call dangerous stdlib functions (signal handlers, network servers, network connections, file operations). The OBJ opcode’s implementation in fickling pushes function calls directly onto the interpreter stack without persisting them to the AST via new_variable(). When the result is discarded with POP, the call vanishes from the final AST entirely, making it invisible to all 9 analysis passes.

This is a separate vulnerability from the REDUCE+BUILD bypass, with a different root cause. It survives all three proposed fixes for the REDUCE+BUILD vulnerability.