Download CVE images instead of storing them on disk

[radarhere]

Proof of concept solution for #4730

The Pillow test suite contains several images to trigger past CVEs, for the purpose of ensuring that they do not recur. However, as the issue describes, antivirus software is not aware that Pillow is up-to-date and so these are no longer vulnerabilities.

The strategy suggested here is to remove the images from Pillow, and instead store them in pillow-depends. To ensure that they are still run each time though, instead of optionally downloading that repository, the tests could download each image as needed.

Obviously the URL need to be changed in this PR, and it could be more widely implemented. Just wanted to create this to provide clarity.

[wiredfool]

Tests shouldn't rely on the network being available -- The tests need to be deterministic based on what's on the disk.

Either:

1. It should stay, it's important
2. It should go in the additional test images repo
3. It should be in a pw protected zip/xor'd file with a known password like 'sudo_ignore_this_avast_this_is_a_false_positive'

(fwiw, tests that rely on network have been a pain over the last months as I've been on connections that are flakey to one level or other, and cell hotspots aren't much better)