Deprecate FreeType 2.7, to be removed in Pillow 9 (2022-01-02)

2025-01-13 10:46:16 +03:00 · 2020-12-16 18:21:37 +02:00 · 2020-12-16 18:21:37 +02:00 · 27bf17009c
commit 27bf17009c
parent ff40eaa961
5 changed files with 85 additions and 1 deletions
--- a/Tests/test_imagefont.py
+++ b/Tests/test_imagefont.py
@ -998,3 +998,15 @@ def test_render_mono_size():

    draw.text((10, 10), "r" * 10, "black", ttf)
    assert_image_equal_tofile(im, "Tests/images/text_mono.gif")
+
+
+def test_freetype_deprecation(monkeypatch):
+    # Arrange: mock features.version_module to return fake FreeType version
+    def fake_version_module(module):
+        return "2.7"
+
+    monkeypatch.setattr(features, "version_module", fake_version_module)
+
+    # Act / Assert
+    with pytest.warns(DeprecationWarning):
+        ImageFont.truetype(FONT_PATH, FONT_SIZE)
--- a/docs/deprecations.rst
+++ b/docs/deprecations.rst
@ -12,6 +12,20 @@ Deprecated features
 Below are features which are considered deprecated. Where appropriate,
 a ``DeprecationWarning`` is issued.

+FreeType 2.7
+~~~~~~~~~~~~
+
+.. deprecated:: 8.1.0
+
+Support for FreeType 2.7 is deprecated and will be removed in Pillow 9.0.0 (2022-01-02),
+when FreeType 2.8 will be the minimum supported.
+
+We recommend upgrading to at least FreeType `2.10.4`_, which fixed a severe
+vulnerability introduced in FreeType 2.6 (CVE-2020-15999_).
+
+.. _2.10.4: https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/
+.. _CVE-2020-15999: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999
+
 Image.show command parameter
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- a/docs/releasenotes/8.1.0.rst
+++ b/docs/releasenotes/8.1.0.rst
@ -0,0 +1,45 @@
+8.1.0
+-----
+
+Deprecations
+============
+
+FreeType 2.7
+^^^^^^^^^^^^
+
+Support for FreeType 2.7 is deprecated and will be removed in Pillow 9.0.0 (2022-01-02),
+when FreeType 2.8 will be the minimum supported.
+
+We recommend upgrading to at least FreeType `2.10.4`_, which fixed a severe
+vulnerability introduced in FreeType 2.6 (:cve:`CVE-2020-15999`).
+
+.. _2.10.4: https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/
+
+API Changes
+===========
+
+TODO
+^^^^
+
+TODO
+
+API Additions
+=============
+
+TODO
+^^^^
+
+TODO
+
+Security
+========
+
+TODO
+
+Other Changes
+=============
+
+TODO
+^^^^
+
+TODO
--- a/docs/releasenotes/index.rst
+++ b/docs/releasenotes/index.rst
@ -13,6 +13,7 @@ expected to be backported to earlier versions.
 .. toctree::
  :maxdepth: 2

+  8.1.0
  8.0.1
  8.0.0
  7.2.0
--- a/src/PIL/ImageFont.py
+++ b/src/PIL/ImageFont.py
@ -28,9 +28,12 @@
 import base64
 import os
 import sys
+import warnings
 from io import BytesIO

-from . import Image
+from packaging.version import parse as parse_version
+
+from . import Image, features
 from ._util import isDirectory, isPath

 LAYOUT_BASIC = 0
@ -164,6 +167,15 @@ class FreeTypeFont:
        self.index = index
        self.encoding = encoding

+        freetype_version = parse_version(features.version_module("freetype2"))
+        if freetype_version < parse_version("2.8"):
+            warnings.warn(
+                "Support for FreeType 2.7 is deprecated and will be removed in Pillow "
+                "9 (2022-01-02). Please upgrade to FreeType 2.8 or newer, preferably "
+                "FreeType 2.10.4 which fixes CVE-2020-15999.",
+                DeprecationWarning,
+            )
+
        if layout_engine not in (LAYOUT_BASIC, LAYOUT_RAQM):
            layout_engine = LAYOUT_BASIC
            if core.HAVE_RAQM: