From ${URL} : * Python Imaging Library: https://bugs.debian.org/737059 Note that we have two slightly different kinds of problems here: 1) in IptcImagePlugin.py and Image.py there's tempfile.mktemp() followed by open() in the same subprocess; 2) in JpegImagePlugin.py and EpsImagePlugin.py, temporary file name generated by tempfile.mktemp() is passed to an external process. The latter kind is much easier to exploit, at least on some systems, because commandlines are not secret. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
See the note in the duplicate bug for the explanation. *** This bug has been marked as a duplicate of bug 507982 ***