Hello!
As I ran into this issue I am giving here a short summary from what I
understand to avoid that others have to re-read everything again:
AFAIU, there are two issues, one is related to Ghostscript, and one to
ImageMagick itself.
Ghostscript
===========
According to https://www.kb.cert.org/vuls/id/332928/ the issue is
addressed in Ghostscript 9.24.
Except for Debian old-old-stable, Debian does ship versions above 9.24:
https://tracker.debian.org/pkg/ghostscript
ImageMagick
===========
Issue described here:
https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
This is fixed in ImageMagick 6.9.11 and later, which is available in
Bullseye but not earlier versions of Debian.
Current status reflected there:
https://security-tracker.debian.org/tracker/CVE-2020-29599
- ulrike