From d3c1d99d00b3d76d9c3dbdfc629b6278a0e38613 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Fri, 6 Sep 2024 14:22:39 +0300
Subject: [PATCH 1/4] Deprecate support for FreeType 2.9.0

---
 Tests/test_imagefont.py      | 12 ++++++++++++
 docs/deprecations.rst        | 13 +++++++++++++
 docs/releasenotes/11.0.0.rst | 13 +++++++++++++
 src/PIL/ImageFont.py         | 17 ++++++++++++++++-
 4 files changed, 54 insertions(+), 1 deletion(-)

diff --git a/Tests/test_imagefont.py b/Tests/test_imagefont.py
index 953706010..cfadc7312 100644
--- a/Tests/test_imagefont.py
+++ b/Tests/test_imagefont.py
@@ -1150,3 +1150,15 @@ def test_invalid_truetype_sizes_raise_valueerror(
 ) -> None:
     with pytest.raises(ValueError):
         ImageFont.truetype(FONT_PATH, size, layout_engine=layout_engine)
+
+
+def test_freetype_deprecation(monkeypatch: pytest.MonkeyPatch) -> None:
+    # Arrange: mock features.version_module to return fake FreeType version
+    def fake_version_module(module):
+        return "2.9.0"
+
+    monkeypatch.setattr(features, "version_module", fake_version_module)
+
+    # Act / Assert
+    with pytest.warns(DeprecationWarning):
+        ImageFont.truetype(FONT_PATH, FONT_SIZE)
diff --git a/docs/deprecations.rst b/docs/deprecations.rst
index a9498d5ed..9a2f16cfb 100644
--- a/docs/deprecations.rst
+++ b/docs/deprecations.rst
@@ -12,6 +12,19 @@ Deprecated features
 Below are features which are considered deprecated. Where appropriate,
 a :py:exc:`DeprecationWarning` is issued.
 
+FreeType 2.9.0
+~~~~~~~~~~~~~~
+
+.. deprecated:: 11.0.0
+
+Support for FreeType 2.9.0 is deprecated and will be removed in Pillow 12.0.0
+(2025-10-15), when FreeType 2.9.1 will be the minimum supported.
+
+We recommend upgrading to at least FreeType `2.10.4`_, which fixed a severe
+vulnerability introduced in FreeType 2.6 (:cve:`CVE-2020-15999`).
+
+.. _2.10.4: https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/
+
 ImageFile.raise_oserror
 ~~~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/docs/releasenotes/11.0.0.rst b/docs/releasenotes/11.0.0.rst
index ac9237acf..99e0a2927 100644
--- a/docs/releasenotes/11.0.0.rst
+++ b/docs/releasenotes/11.0.0.rst
@@ -43,6 +43,19 @@ similarly removed.
 Deprecations
 ============
 
+FreeType 2.9.0
+^^^^^^^^^^^^^^
+
+.. deprecated:: 11.0.0
+
+Support for FreeType 2.9.0 is deprecated and will be removed in Pillow 12.0.0
+(2025-10-15), when FreeType 2.9.1 will be the minimum supported.
+
+We recommend upgrading to at least FreeType `2.10.4`_, which fixed a severe
+vulnerability introduced in FreeType 2.6 (:cve:`CVE-2020-15999`).
+
+.. _2.10.4: https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/
+
 ImageMath.lambda_eval and ImageMath.unsafe_eval options parameter
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
diff --git a/src/PIL/ImageFont.py b/src/PIL/ImageFont.py
index a82c36ba6..50796e132 100644
--- a/src/PIL/ImageFont.py
+++ b/src/PIL/ImageFont.py
@@ -36,7 +36,7 @@ from io import BytesIO
 from types import ModuleType
 from typing import IO, TYPE_CHECKING, Any, BinaryIO, TypedDict, cast
 
-from . import Image
+from . import Image, features
 from ._typing import StrOrBytesPath
 from ._util import DeferredError, is_path
 
@@ -232,6 +232,21 @@ class FreeTypeFont:
         self.index = index
         self.encoding = encoding
 
+        try:
+            from packaging.version import parse as parse_version
+        except ImportError:
+            pass
+        else:
+            if freetype_version := features.version_module("freetype2"):
+                if parse_version(freetype_version) < parse_version("2.9.1"):
+                    warnings.warn(
+                        "Support for FreeType 2.9.0 is deprecated and will be removed "
+                        "in Pillow 12 (2025-10-15). Please upgrade to FreeType 2.9.1 "
+                        "or newer, preferably FreeType 2.10.4 which fixes "
+                        "CVE-2020-15999.",
+                        DeprecationWarning,
+                    )
+
         if layout_engine not in (Layout.BASIC, Layout.RAQM):
             layout_engine = Layout.BASIC
             if core.HAVE_RAQM:

From 2c02146cf4c745df531be49e6900005d7df486b7 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Sat, 7 Sep 2024 12:32:30 +0300
Subject: [PATCH 2/4] Use type hints and fix CVE role

Co-authored-by: Andrew Murray <3112309+radarhere@users.noreply.github.com>
---
 Tests/test_imagefont.py      | 2 +-
 docs/deprecations.rst        | 2 +-
 docs/releasenotes/11.0.0.rst | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Tests/test_imagefont.py b/Tests/test_imagefont.py
index cfadc7312..3c916db18 100644
--- a/Tests/test_imagefont.py
+++ b/Tests/test_imagefont.py
@@ -1154,7 +1154,7 @@ def test_invalid_truetype_sizes_raise_valueerror(
 
 def test_freetype_deprecation(monkeypatch: pytest.MonkeyPatch) -> None:
     # Arrange: mock features.version_module to return fake FreeType version
-    def fake_version_module(module):
+    def fake_version_module(module: str) -> str:
         return "2.9.0"
 
     monkeypatch.setattr(features, "version_module", fake_version_module)
diff --git a/docs/deprecations.rst b/docs/deprecations.rst
index 9a2f16cfb..8d3032827 100644
--- a/docs/deprecations.rst
+++ b/docs/deprecations.rst
@@ -21,7 +21,7 @@ Support for FreeType 2.9.0 is deprecated and will be removed in Pillow 12.0.0
 (2025-10-15), when FreeType 2.9.1 will be the minimum supported.
 
 We recommend upgrading to at least FreeType `2.10.4`_, which fixed a severe
-vulnerability introduced in FreeType 2.6 (:cve:`CVE-2020-15999`).
+vulnerability introduced in FreeType 2.6 (:cve:`2020-15999`).
 
 .. _2.10.4: https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/
 
diff --git a/docs/releasenotes/11.0.0.rst b/docs/releasenotes/11.0.0.rst
index 99e0a2927..0c637cc65 100644
--- a/docs/releasenotes/11.0.0.rst
+++ b/docs/releasenotes/11.0.0.rst
@@ -52,7 +52,7 @@ Support for FreeType 2.9.0 is deprecated and will be removed in Pillow 12.0.0
 (2025-10-15), when FreeType 2.9.1 will be the minimum supported.
 
 We recommend upgrading to at least FreeType `2.10.4`_, which fixed a severe
-vulnerability introduced in FreeType 2.6 (:cve:`CVE-2020-15999`).
+vulnerability introduced in FreeType 2.6 (:cve:`2020-15999`).
 
 .. _2.10.4: https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/
 

From 6231453895ff9098fde1de8e4be2ddcf0574b1a8 Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Sun, 8 Sep 2024 21:53:08 +1000
Subject: [PATCH 3/4] Group 11.0.0 deprecations

---
 docs/deprecations.rst | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/docs/deprecations.rst b/docs/deprecations.rst
index 8d3032827..bf290a9cd 100644
--- a/docs/deprecations.rst
+++ b/docs/deprecations.rst
@@ -12,19 +12,6 @@ Deprecated features
 Below are features which are considered deprecated. Where appropriate,
 a :py:exc:`DeprecationWarning` is issued.
 
-FreeType 2.9.0
-~~~~~~~~~~~~~~
-
-.. deprecated:: 11.0.0
-
-Support for FreeType 2.9.0 is deprecated and will be removed in Pillow 12.0.0
-(2025-10-15), when FreeType 2.9.1 will be the minimum supported.
-
-We recommend upgrading to at least FreeType `2.10.4`_, which fixed a severe
-vulnerability introduced in FreeType 2.6 (:cve:`2020-15999`).
-
-.. _2.10.4: https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/
-
 ImageFile.raise_oserror
 ~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -122,6 +109,19 @@ ImageDraw.getdraw hints parameter
 
 The ``hints`` parameter in :py:meth:`~PIL.ImageDraw.getdraw()` has been deprecated.
 
+FreeType 2.9.0
+~~~~~~~~~~~~~~
+
+.. deprecated:: 11.0.0
+
+Support for FreeType 2.9.0 is deprecated and will be removed in Pillow 12.0.0
+(2025-10-15), when FreeType 2.9.1 will be the minimum supported.
+
+We recommend upgrading to at least FreeType `2.10.4`_, which fixed a severe
+vulnerability introduced in FreeType 2.6 (:cve:`2020-15999`).
+
+.. _2.10.4: https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/
+
 ImageMath.lambda_eval and ImageMath.unsafe_eval options parameter
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 

From 2f13c4588d6287140a7e94bc8bc6c732610bd31e Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Sun, 8 Sep 2024 16:17:13 +0300
Subject: [PATCH 4/4] Fix underline

Co-authored-by: Andrew Murray <3112309+radarhere@users.noreply.github.com>
---
 docs/deprecations.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/deprecations.rst b/docs/deprecations.rst
index bf290a9cd..1d2da2381 100644
--- a/docs/deprecations.rst
+++ b/docs/deprecations.rst
@@ -110,7 +110,7 @@ ImageDraw.getdraw hints parameter
 The ``hints`` parameter in :py:meth:`~PIL.ImageDraw.getdraw()` has been deprecated.
 
 FreeType 2.9.0
-~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^
 
 .. deprecated:: 11.0.0