Merge pull request #5098 from hugovk/deprecate-freetype

Deprecate FreeType 2.7

.github/workflows/test.yml

@@ -104,7 +104,7 @@ jobs:
     - name: Docs
       if: startsWith(matrix.os, 'ubuntu') && matrix.python-version == 3.9
       run: |
-        python3 -m pip install sphinx-removed-in sphinx-rtd-theme
+        python3 -m pip install sphinx-issues sphinx-removed-in sphinx-rtd-theme
         make doccheck
 
     - name: After success

Makefile

@@ -33,7 +33,7 @@ doccheck:
 
 .PHONY: docserve
 docserve:
-	cd docs/_build/html && python3 -mSimpleHTTPServer 2> /dev/null&
+	cd docs/_build/html && python3 -m http.server 2> /dev/null&
 
 .PHONY: help
 help:

Tests/test_imagefont.py

@@ -968,3 +968,15 @@ def test_render_mono_size():
 
     draw.text((10, 10), "r" * 10, "black", ttf)
     assert_image_equal_tofile(im, "Tests/images/text_mono.gif")
+
+
+def test_freetype_deprecation(monkeypatch):
+    # Arrange: mock features.version_module to return fake FreeType version
+    def fake_version_module(module):
+        return "2.7"
+
+    monkeypatch.setattr(features, "version_module", fake_version_module)
+
+    # Act / Assert
+    with pytest.warns(DeprecationWarning):
+        ImageFont.truetype(FONT_PATH, FONT_SIZE)

docs/Makefile

@@ -156,4 +156,4 @@ livehtml: html
 	livereload $(BUILDDIR)/html -p 33233
 
 serve:
-	cd $(BUILDDIR)/html; python -m SimpleHTTPServer
+	cd $(BUILDDIR)/html; python3 -m http.server

docs/conf.py

@@ -32,6 +32,7 @@ extensions = [
     "sphinx.ext.autodoc",
     "sphinx.ext.intersphinx",
     "sphinx.ext.viewcode",
+    "sphinx_issues",
     "sphinx_removed_in",
 ]
 

docs/deprecations.rst

@@ -12,6 +12,19 @@ Deprecated features
 Below are features which are considered deprecated. Where appropriate,
 a ``DeprecationWarning`` is issued.
 
+FreeType 2.7
+~~~~~~~~~~~~
+
+.. deprecated:: 8.1.0
+
+Support for FreeType 2.7 is deprecated and will be removed in Pillow 9.0.0 (2022-01-02),
+when FreeType 2.8 will be the minimum supported.
+
+We recommend upgrading to at least FreeType `2.10.4`_, which fixed a severe
+vulnerability introduced in FreeType 2.6 (:cve:`CVE-2020-15999`).
+
+.. _2.10.4: https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/
+
 Image.show command parameter
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

docs/releasenotes/3.1.1.rst

@@ -6,7 +6,7 @@ CVE-2016-0740 -- Buffer overflow in TiffDecode.c
 ------------------------------------------------
 
 Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64
-may overflow a buffer when reading a specially crafted tiff file.
+may overflow a buffer when reading a specially crafted tiff file (:cve:`CVE-2016-0740`).
 
 Specifically, libtiff >= 4.0.0 changed the return type of
 ``TIFFScanlineSize`` from ``int32`` to machine dependent
@@ -24,9 +24,11 @@ CVE-2016-0775 -- Buffer overflow in FliDecode.c
 -----------------------------------------------
 
 In all versions of Pillow, dating back at least to the last PIL 1.1.7
-release, FliDecode.c has a buffer overflow error.
+release, FliDecode.c has a buffer overflow error (:cve:`CVE-2016-0775`).
 
-Around line 192::
+Around line 192:
+
+.. code-block:: c
 
   case 16:
       /* COPY chunk */
@@ -45,13 +47,13 @@ is a set of row pointers to segments of memory that are the size of
 the row.  At the max ``y``, this will write the contents of the line
 off the end of the memory buffer, causing a segfault.
 
-This issue was found by Alyssa Besseling at Atlassian
+This issue was found by Alyssa Besseling at Atlassian.
 
 CVE-2016-2533 -- Buffer overflow in PcdDecode.c
 -----------------------------------------------
 
 In all versions of Pillow, dating back at least to the last PIL 1.1.7
-release, ``PcdDecode.c`` has a buffer overflow error.
+release, ``PcdDecode.c`` has a buffer overflow error (:cve:`CVE-2016-2533`).
 
 The ``state.buffer`` for ``PcdDecode.c`` is allocated based on a 3
 bytes per pixel sizing, where ``PcdDecode.c`` wrote into the buffer
@@ -63,14 +65,16 @@ Integer overflow in Resample.c
 ------------------------------
 
 If a large value was passed into the new size for an image, it is
-possible to overflow an int32 value passed into malloc.
+possible to overflow an ``int32`` value passed into malloc.
 
-  kk = malloc(xsize * kmax * sizeof(float));
+.. code-block:: c
-  ...
+
-  xbounds = malloc(xsize * 2 * sizeof(int));
+    kk = malloc(xsize * kmax * sizeof(float));
+    ...
+    xbounds = malloc(xsize * 2 * sizeof(int));
 
 ``xsize`` is trusted user input. These multiplications can overflow,
-leading the malloc'd buffer to be undersized. These allocations are
+leading the ``malloc``'d buffer to be undersized. These allocations are
 followed by a loop that writes out of bounds. This can lead to
 corruption on the heap of the Python process with attacker controlled
 float data.

docs/releasenotes/3.1.2.rst

@@ -7,9 +7,11 @@ CVE-2016-3076 -- Buffer overflow in Jpeg2KEncode.c
 
 Pillow between 2.5.0 and 3.1.1 may overflow a buffer when writing
 large Jpeg2000 files, allowing for code execution or other memory
-corruption.
+corruption (:cve:`CVE-2016-3076`).
 
-This occurs specifically in the function ``j2k_encode_entry``, at the line::
+This occurs specifically in the function ``j2k_encode_entry``, at the line:
+
+.. code-block:: c
 
     state->buffer = malloc (tile_width * tile_height * components * prec / 8);
 

docs/releasenotes/6.2.0.rst

@@ -73,7 +73,7 @@ Security
 ========
 
 This release catches several buffer overruns, as well as addressing
-CVE-2019-16865. The CVE is regarding DOS problems, such as consuming large
+:cve:`CVE-2019-16865`. The CVE is regarding DOS problems, such as consuming large
 amounts of memory, or taking a large amount of time to process an image.
 
 In RawDecode.c, an error is now thrown if skip is calculated to be less than
@@ -96,14 +96,14 @@ Other Changes
 Removed bdist_wininst .exe installers
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-.exe installers fell out of favour with PEP 527, and will be deprecated in
+.exe installers fell out of favour with :pep:`527`, and will be deprecated in
 Python 3.8. Pillow will no longer be distributing them. Wheels should be used
 instead.
 
 Flags for libwebp in wheels
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-When building libwebp for inclusion in wheels, Pillow now adds the -O3 and
+When building libwebp for inclusion in wheels, Pillow now adds the ``-O3`` and
--DNDEBUG CFLAGS. These flags would be used by default if building libwebp
+``-DNDEBUG`` CFLAGS. These flags would be used by default if building libwebp
 without debugging, and using them fixes a significant decrease in speed when
 a wheel-installed copy of Pillow performs libwebp operations.

docs/releasenotes/6.2.2.rst

@@ -6,12 +6,13 @@ Security
 
 This release addresses several security problems.
 
-CVE-2019-19911 is regarding FPX images. If an image reports that it has a large number
+:cve:`CVE-2019-19911` is regarding FPX images. If an image reports that it has a large
-of bands, a large amount of resources will be used when trying to process the
+number of bands, a large amount of resources will be used when trying to process the
 image. This is fixed by limiting the number of bands to those usable by Pillow.
 
-Buffer overruns were found when processing an SGI (CVE-2020-5311), PCX (CVE-2020-5312)
+Buffer overruns were found when processing an SGI (:cve:`CVE-2020-5311`),
-or FLI image (CVE-2020-5313). Checks have been added to prevent this.
+PCX (:cve:`CVE-2020-5312`) or FLI image (:cve:`CVE-2020-5313`). Checks have been added
+to prevent this.
 
-CVE-2020-5310: Overflow checks have been added when calculating the size of a memory
+:cve:`CVE-2020-5310`: Overflow checks have been added when calculating the size of a
-block to be reallocated in the processing of a TIFF image.
+memory block to be reallocated in the processing of a TIFF image.

docs/releasenotes/7.1.0.rst

@@ -74,11 +74,11 @@ Security
 
 This release includes security fixes.
 
-* CVE-2020-10177 Fix multiple OOB reads in FLI decoding
+* :cve:`CVE-2020-10177` Fix multiple OOB reads in FLI decoding
-* CVE-2020-10378 Fix bounds overflow in PCX decoding
+* :cve:`CVE-2020-10378` Fix bounds overflow in PCX decoding
-* CVE-2020-10379 Fix two buffer overflows in TIFF decoding
+* :cve:`CVE-2020-10379` Fix two buffer overflows in TIFF decoding
-* CVE-2020-10994 Fix bounds overflow in JPEG 2000 decoding
+* :cve:`CVE-2020-10994` Fix bounds overflow in JPEG 2000 decoding
-* CVE-2020-11538 Fix buffer overflow in SGI-RLE decoding
+* :cve:`CVE-2020-11538` Fix buffer overflow in SGI-RLE decoding
 
 Other Changes
 =============

docs/releasenotes/8.0.1.rst

@@ -4,13 +4,11 @@
 Security
 ========
 
-Update FreeType used in binary wheels to `2.10.4`_ to fix CVE-2020-15999_:
+Update FreeType used in binary wheels to `2.10.4`_ to fix :cve:`CVE-2020-15999`:
 
   - A heap buffer overflow has been found  in the handling of embedded PNG bitmaps,
     introduced in FreeType version 2.6.
 
-      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999
-
     If you use option ``FT_CONFIG_OPTION_USE_PNG`` you should upgrade immediately.
 
 We strongly recommend updating to Pillow 8.0.1 if you are using Pillow 8.0.0, which improved support for bitmap fonts.
@@ -22,4 +20,3 @@ Pillow 8.0.0 and earlier are potentially vulnerable releases, including the last
 to support Python 2.7, namely Pillow 6.2.2.
 
 .. _2.10.4: https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/
-.. _CVE-2020-15999: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999

docs/releasenotes/8.1.0.rst

@@ -0,0 +1,45 @@
+8.1.0
+-----
+
+Deprecations
+============
+
+FreeType 2.7
+^^^^^^^^^^^^
+
+Support for FreeType 2.7 is deprecated and will be removed in Pillow 9.0.0 (2022-01-02),
+when FreeType 2.8 will be the minimum supported.
+
+We recommend upgrading to at least FreeType `2.10.4`_, which fixed a severe
+vulnerability introduced in FreeType 2.6 (:cve:`CVE-2020-15999`).
+
+.. _2.10.4: https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/
+
+API Changes
+===========
+
+TODO
+^^^^
+
+TODO
+
+API Additions
+=============
+
+TODO
+^^^^
+
+TODO
+
+Security
+========
+
+TODO
+
+Other Changes
+=============
+
+TODO
+^^^^
+
+TODO

docs/releasenotes/index.rst

@@ -13,6 +13,7 @@ expected to be backported to earlier versions.
 .. toctree::
   :maxdepth: 2
 
+  8.1.0
   8.0.1
   8.0.0
   7.2.0

requirements.txt

@@ -9,5 +9,6 @@ pyroma
 pytest
 pytest-cov
 sphinx>=2.4
+sphinx-issues
 sphinx-removed-in
 sphinx-rtd-theme

src/PIL/ImageFont.py

@@ -28,9 +28,10 @@
 import base64
 import os
 import sys
+import warnings
 from io import BytesIO
 
-from . import Image
+from . import Image, features
 from ._util import isDirectory, isPath
 
 LAYOUT_BASIC = 0
@@ -164,6 +165,21 @@ class FreeTypeFont:
         self.index = index
         self.encoding = encoding
 
+        try:
+            from packaging.version import parse as parse_version
+        except ImportError:
+            pass
+        else:
+            freetype_version = parse_version(features.version_module("freetype2"))
+            if freetype_version < parse_version("2.8"):
+                warnings.warn(
+                    "Support for FreeType 2.7 is deprecated and will be removed"
+                    " in Pillow 9 (2022-01-02). Please upgrade to FreeType 2.8 "
+                    "or newer, preferably FreeType 2.10.4 which fixes "
+                    "CVE-2020-15999.",
+                    DeprecationWarning,
+                )
+
         if layout_engine not in (LAYOUT_BASIC, LAYOUT_RAQM):
             layout_engine = LAYOUT_BASIC
             if core.HAVE_RAQM: