Deprecate support for FreeType 2.9.0

hugovk · Sep 6, 2024 · d3c1d99 · d3c1d99
1 parent 6377321
commit d3c1d99
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 1 deletion.
diff --git a/Tests/test_imagefont.py b/Tests/test_imagefont.py
@@ -1150,3 +1150,15 @@ def test_invalid_truetype_sizes_raise_valueerror(
 ) -> None:
     with pytest.raises(ValueError):
         ImageFont.truetype(FONT_PATH, size, layout_engine=layout_engine)
+
+
+def test_freetype_deprecation(monkeypatch: pytest.MonkeyPatch) -> None:
+    # Arrange: mock features.version_module to return fake FreeType version
+    def fake_version_module(module):
+        return "2.9.0"
+
+    monkeypatch.setattr(features, "version_module", fake_version_module)
+
+    # Act / Assert
+    with pytest.warns(DeprecationWarning):
+        ImageFont.truetype(FONT_PATH, FONT_SIZE)
diff --git a/docs/deprecations.rst b/docs/deprecations.rst
@@ -12,6 +12,19 @@ Deprecated features
 Below are features which are considered deprecated. Where appropriate,
 a :py:exc:`DeprecationWarning` is issued.
 
+FreeType 2.9.0
+~~~~~~~~~~~~~~
+
+.. deprecated:: 11.0.0
+
+Support for FreeType 2.9.0 is deprecated and will be removed in Pillow 12.0.0
+(2025-10-15), when FreeType 2.9.1 will be the minimum supported.
+
+We recommend upgrading to at least FreeType `2.10.4`_, which fixed a severe
+vulnerability introduced in FreeType 2.6 (:cve:`CVE-2020-15999`).
+
+.. _2.10.4: https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/
+
 ImageFile.raise_oserror
 ~~~~~~~~~~~~~~~~~~~~~~~
 

diff --git a/docs/releasenotes/11.0.0.rst b/docs/releasenotes/11.0.0.rst
@@ -43,6 +43,19 @@ similarly removed.
 Deprecations
 ============
 
+FreeType 2.9.0
+^^^^^^^^^^^^^^
+
+.. deprecated:: 11.0.0
+
+Support for FreeType 2.9.0 is deprecated and will be removed in Pillow 12.0.0
+(2025-10-15), when FreeType 2.9.1 will be the minimum supported.
+
+We recommend upgrading to at least FreeType `2.10.4`_, which fixed a severe
+vulnerability introduced in FreeType 2.6 (:cve:`CVE-2020-15999`).
+
+.. _2.10.4: https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/
+
 ImageMath.lambda_eval and ImageMath.unsafe_eval options parameter
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 

diff --git a/src/PIL/ImageFont.py b/src/PIL/ImageFont.py
@@ -36,7 +36,7 @@
 from types import ModuleType
 from typing import IO, TYPE_CHECKING, Any, BinaryIO, TypedDict, cast
 
-from . import Image
+from . import Image, features
 from ._typing import StrOrBytesPath
 from ._util import DeferredError, is_path
 
@@ -232,6 +232,21 @@ def __init__(
         self.index = index
         self.encoding = encoding
 
+        try:
+            from packaging.version import parse as parse_version
+        except ImportError:
+            pass
+        else:
+            if freetype_version := features.version_module("freetype2"):
+                if parse_version(freetype_version) < parse_version("2.9.1"):
+                    warnings.warn(
+                        "Support for FreeType 2.9.0 is deprecated and will be removed "
+                        "in Pillow 12 (2025-10-15). Please upgrade to FreeType 2.9.1 "
+                        "or newer, preferably FreeType 2.10.4 which fixes "
+                        "CVE-2020-15999.",
+                        DeprecationWarning,
+                    )
+
         if layout_engine not in (Layout.BASIC, Layout.RAQM):
             layout_engine = Layout.BASIC
             if core.HAVE_RAQM: