Skip to content

Commit

Permalink
Remove Pillow patch, require Pillow > 10.0.1
Browse files Browse the repository at this point in the history
  • Loading branch information
ty-porter committed Feb 21, 2024
1 parent 0745253 commit 9264e14
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 39 deletions.
18 changes: 2 additions & 16 deletions main.py
Original file line number Diff line number Diff line change
Expand Up @@ -21,21 +21,7 @@
import threading
import time

# TODO: This code addresses CVE-2023-4863 in Pillow < 10.0.1, which requires Python 3.8+
# See requirements.txt for rationale.
try:
from PIL import Image

pil_version = tuple(map(int, Image.__version__.split(".")))
if pil_version < (10, 0, 1):
debug.warning(f"Attempted to load an insecure PIL version ({Image.__version__}). We require PIL 10.0.1 or higher.")

raise ModuleNotFoundError

PIL_LOADED = True
except:
debug.warning("PIL failed to load -- images will not be displayed.")
PIL_LOADED = False
from PIL import Image

# Important! Import the driver first to initialize it, then import submodules as needed.
import driver
Expand Down Expand Up @@ -74,7 +60,7 @@ def main(matrix, config_base):

# MLB image disabled when using renderer, for now.
# see: https://github.com/ty-porter/RGBMatrixEmulator/issues/9#issuecomment-922869679
if os.path.exists(logo) and driver.is_hardware() and PIL_LOADED:
if os.path.exists(logo) and driver.is_hardware():
logo = Image.open(logo)
matrix.SetImage(logo.convert("RGB"))
logo.close()
Expand Down
15 changes: 4 additions & 11 deletions renderers/offday.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,7 @@

import time

try:
from PIL import Image

PIL_LOADED = True
except:

PIL_LOADED = False
from PIL import Image

from data.time_formats import TIME_FORMAT_12H
from data.config.color import Color
Expand Down Expand Up @@ -44,10 +38,9 @@ def __render_clock(canvas, layout, colors, time_format):

def __render_weather(canvas, layout, colors, weather):
if weather.available():
if PIL_LOADED:
image_file = weather.icon_filename()
weather_icon = Image.open(image_file)
__render_weather_icon(canvas, layout, colors, weather_icon)
image_file = weather.icon_filename()
weather_icon = Image.open(image_file)
__render_weather_icon(canvas, layout, colors, weather_icon)
__render_weather_text(canvas, layout, colors, weather.conditions, "conditions")
__render_weather_text(canvas, layout, colors, weather.temperature_string(), "temperature")
__render_weather_text(canvas, layout, colors, weather.wind_speed_string(), "wind_speed")
Expand Down
13 changes: 1 addition & 12 deletions requirements.txt
Original file line number Diff line number Diff line change
@@ -1,17 +1,6 @@
feedparser==6.0.10
MLB_StatsAPI>=1.6.1
# PIL is affected by CVE-2023-4863
# https://nvd.nist.gov/vuln/detail/CVE-2023-4863
#
# The vulnerability is patched in Pillow >= 10.0.1. This version does not support Python 3.7 due to this version being end-of-life.
# Python 3.7.3 is the default Python version for Raspbian / Raspberry Pi OS, and upgrading Python versions is difficult for non-technical users.
#
# Therefore, addressing the CVE at this time would be a breaking change for most users without an easy upgrade path to Python 3.8+.
#
# Dependabot PR:
# https://github.com/MLB-LED-Scoreboard/mlb-led-scoreboard/pull/502
#
# Pillow==9.3.1
Pillow>=10.0.1
pyowm==3.3.0
RGBMatrixEmulator>=0.8.4
tzlocal==4.2

0 comments on commit 9264e14

Please sign in to comment.