Leo Famulari writes:

>> I'm trying to figure out where the patches for this are, but I can't
>> find them.  I expected them to maybe be here, but I don't see them here:
>
> I updated python-pillow to 3.1.1 with 16095d2729, fixing these issues.
>
> When I did that, CVE-2016-2533 wasn't named yet, but my understanding is
> that the update does address it:
> https://github.com/python-pillow/Pillow/commits/e5324bd3b4195d68d4a066b16d912fca30d3c4be
>
> Python2-pil *is* vulnerable. However, it seems to have no users in our
> source tree. Should we remove it?

I think so.  Here's a patch to remove it.  Look good?  (Not sure if this
needs a review or not :))

 - Chris