--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/python/imaging/patches/01-CVE-2014-1932-1933.patch Wed Apr 09 15:06:42 2014 -0700
@@ -0,0 +1,88 @@
+# Patch based on fix to CVE-2014-1932, CVE-2014-1933 from
+# https://github.com/python-imaging/Pillow/commit/4e9f367dfd3f04c8f5d23f7f759ec12782e10ee7
+# plus subsequent fixes at
+# https://github.com/python-imaging/Pillow/commit/844ed441deb6b75d3048fa111977188ed47f0b76
+# and
+# https://github.com/python-imaging/Pillow/commit/86d5c5c3894f58895f31287081cdd146f5fe00f7
+#
+# Patch to be contributed upstream to PIL version 1.1.7
+
+diff -rup Imaging-1.1.7-orig/PIL/EpsImagePlugin.py Imaging-1.1.7/PIL/EpsImagePlugin.py
+--- Imaging-1.1.7-orig/PIL/EpsImagePlugin.py 2009-10-31 17:44:11.000000000 -0700
++++ Imaging-1.1.7/PIL/EpsImagePlugin.py 2014-04-07 09:59:16.000000000 -0700
+@@ -44,7 +44,8 @@ def Ghostscript(tile, size, fp):
+
+ import tempfile, os
+
+- file = tempfile.mktemp()
++ out_fd, file = tempfile.mkstemp()
++ os.close(out_fd)
+
+ # Build ghostscript command
+ command = ["gs",
+diff -rup Imaging-1.1.7-orig/PIL/Image.py Imaging-1.1.7/PIL/Image.py
+--- Imaging-1.1.7-orig/PIL/Image.py 2009-11-15 07:51:25.000000000 -0800
++++ Imaging-1.1.7/PIL/Image.py 2014-04-08 15:57:22.704420000 -0700
+@@ -482,14 +482,20 @@ class Image:
+ self.readonly = 0
+
+ def _dump(self, file=None, format=None):
+- import tempfile
++ import tempfile, os
++ suffix = ''
++ if format:
++ suffix = '.' + format
+ if not file:
+- file = tempfile.mktemp()
++ f, file = tempfile.mkstemp(suffix)
++ os.close(f)
++
+ self.load()
+ if not format or format == "PPM":
+ self.im.save_ppm(file)
+ else:
+- file = file + "." + format
++ if not file.endswith(format):
++ file = file + "." + format
+ self.save(file, format)
+ return file
+
+diff -rup Imaging-1.1.7-orig/PIL/IptcImagePlugin.py Imaging-1.1.7/PIL/IptcImagePlugin.py
+--- Imaging-1.1.7-orig/PIL/IptcImagePlugin.py 2009-10-31 17:44:12.000000000 -0700
++++ Imaging-1.1.7/PIL/IptcImagePlugin.py 2014-04-04 11:37:00.000000000 -0700
+@@ -173,8 +173,8 @@ class IptcImageFile(ImageFile.ImageFile)
+ self.fp.seek(offset)
+
+ # Copy image data to temporary file
+- outfile = tempfile.mktemp()
+- o = open(outfile, "wb")
++ o_fd, outfile = tempfile.mkstemp()
++ o = os.fdopen(o_fd)
+ if encoding == "raw":
+ # To simplify access to the extracted file,
+ # prepend a PPM header
+diff -rup Imaging-1.1.7-orig/PIL/JpegImagePlugin.py Imaging-1.1.7/PIL/JpegImagePlugin.py
+--- Imaging-1.1.7-orig/PIL/JpegImagePlugin.py 2009-10-31 17:44:12.000000000 -0700
++++ Imaging-1.1.7/PIL/JpegImagePlugin.py 2014-04-07 10:03:37.000000000 -0700
+@@ -344,13 +344,17 @@ class JpegImageFile(ImageFile.ImageFile)
+ # ALTERNATIVE: handle JPEGs via the IJG command line utilities
+
+ import tempfile, os
+- file = tempfile.mktemp()
+- os.system("djpeg %s >%s" % (self.filename, file))
++ f, path = tempfile.mkstemp()
++ os.close(f)
++ if os.path.exists(self.filename):
++ os.system("djpeg '%s' >'%s'" % (self.filename, path))
++ else:
++ raise ValueError("Invalid Filename")
+
+ try:
+- self.im = Image.core.open_ppm(file)
++ self.im = Image.core.open_ppm(path)
+ finally:
+- try: os.unlink(file)
++ try: os.unlink(path)
+ except: pass
+
+ self.mode = self.im.mode