Pillow release 2.7.0 fixes a potential denial-of-service issue in PNG decompression code .
Exact upstream commit that resolves this:
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-9601 to
the following vulnerability:
Pillow before 2.7.0 allows remote attackers to cause a denial of
service via a compressed text chunk in a PNG image that has a large
size when it is decompressed.