8.0.1 version bump

Co-authored-by: nulano <nulano@nulano.eu>

CHANGES.rst

@@ -2,6 +2,15 @@
 Changelog (Pillow)
 ==================
 
+8.0.1 (2020-10-22)
+------------------
+
+- Update FreeType used in binary wheels to 2.10.4 to fix CVE-2020-15999
+  [radarhere]
+
+- Moved string_dimension image to pillow-depends #4993
+  [radarhere]
+
 8.0.0 (2020-10-15)
 ------------------
 

Makefile

@@ -91,6 +91,8 @@ release-test:
 	python3 selftest.py
 	python3 -m pytest Tests
 	python3 setup.py install
+	-rm dist/*.egg
+	-rmdir dist
 	python3 -m pytest -qq
 	check-manifest
 	pyroma .

Tests/test_file_tiff.py

@@ -598,6 +598,10 @@ class TestFileTiff:
     # Ignore this UserWarning which triggers for four tags:
     # "Possibly corrupt EXIF data.  Expecting to read 50404352 bytes but..."
     @pytest.mark.filterwarnings("ignore:Possibly corrupt EXIF data")
+    @pytest.mark.skipif(
+        not os.path.exists("Tests/images/string_dimension.tiff"),
+        reason="Extra image files not installed",
+    )
     def test_string_dimension(self):
         # Assert that an error is raised if one of the dimensions is a string
         with pytest.raises(ValueError):

docs/releasenotes/8.0.1.rst

@@ -0,0 +1,25 @@
+8.0.1
+-----
+
+Security
+========
+
+Update FreeType used in binary wheels to `2.10.4`_ to fix CVE-2020-15999_:
+
+  - A heap buffer overflow has been found  in the handling of embedded PNG bitmaps,
+    introduced in FreeType version 2.6.
+
+      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999
+
+    If you use option ``FT_CONFIG_OPTION_USE_PNG`` you should upgrade immediately.
+
+We strongly recommend updating to Pillow 8.0.1 if you are using Pillow 8.0.0, which improved support for bitmap fonts.
+
+In Pillow 7.2.0 and earlier bitmap fonts were disabled with ``FT_LOAD_NO_BITMAP``, but it is not
+clear if this prevents the exploit and we recommend updating to Pillow 8.0.1.
+
+Pillow 8.0.0 and earlier are potentially vulnerable releases, including the last release
+to support Python 2.7, namely Pillow 6.2.2.
+
+.. _2.10.4: https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/
+.. _CVE-2020-15999: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999

docs/releasenotes/index.rst

@@ -13,6 +13,7 @@ expected to be backported to earlier versions.
 .. toctree::
   :maxdepth: 2
 
+  8.0.1
   8.0.0
   7.2.0
   7.1.2

src/PIL/_version.py

@@ -1,2 +1,2 @@
 # Master version for Pillow
-__version__ = "8.0.0"
+__version__ = "8.0.1"

winbuild/build_prepare.py

@@ -184,9 +184,9 @@ deps = {
         "libs": [r"libpng16.lib"],
     },
     "freetype": {
-        "url": "https://download.savannah.gnu.org/releases/freetype/freetype-2.10.3.tar.gz",  # noqa: E501
-        "filename": "freetype-2.10.3.tar.gz",
-        "dir": "freetype-2.10.3",
+        "url": "https://download.savannah.gnu.org/releases/freetype/freetype-2.10.4.tar.gz",  # noqa: E501
+        "filename": "freetype-2.10.4.tar.gz",
+        "dir": "freetype-2.10.4",
         "patch": {
             r"builds\windows\vc2010\freetype.vcxproj": {
                 # freetype setting is /MD for .dll and /MT for .lib, we need /MD