diff --git a/main.py b/main.py index d0e9b99e..91c9579d 100755 --- a/main.py +++ b/main.py @@ -21,21 +21,7 @@ import threading import time -# TODO: This code addresses CVE-2023-4863 in Pillow < 10.0.1, which requires Python 3.8+ -# See requirements.txt for rationale. -try: - from PIL import Image - - pil_version = tuple(map(int, Image.__version__.split("."))) - if pil_version < (10, 0, 1): - debug.warning(f"Attempted to load an insecure PIL version ({Image.__version__}). We require PIL 10.0.1 or higher.") - - raise ModuleNotFoundError - - PIL_LOADED = True -except: - debug.warning("PIL failed to load -- images will not be displayed.") - PIL_LOADED = False +from PIL import Image # Important! Import the driver first to initialize it, then import submodules as needed. import driver @@ -74,7 +60,7 @@ def main(matrix, config_base): # MLB image disabled when using renderer, for now. # see: https://github.com/ty-porter/RGBMatrixEmulator/issues/9#issuecomment-922869679 - if os.path.exists(logo) and driver.is_hardware() and PIL_LOADED: + if os.path.exists(logo) and driver.is_hardware(): logo = Image.open(logo) matrix.SetImage(logo.convert("RGB")) logo.close() diff --git a/renderers/offday.py b/renderers/offday.py index 2bafab9a..e81613b9 100644 --- a/renderers/offday.py +++ b/renderers/offday.py @@ -2,13 +2,7 @@ import time -try: - from PIL import Image - - PIL_LOADED = True -except: - - PIL_LOADED = False +from PIL import Image from data.time_formats import TIME_FORMAT_12H from data.config.color import Color @@ -44,10 +38,9 @@ def __render_clock(canvas, layout, colors, time_format): def __render_weather(canvas, layout, colors, weather): if weather.available(): - if PIL_LOADED: - image_file = weather.icon_filename() - weather_icon = Image.open(image_file) - __render_weather_icon(canvas, layout, colors, weather_icon) + image_file = weather.icon_filename() + weather_icon = Image.open(image_file) + __render_weather_icon(canvas, layout, colors, weather_icon) __render_weather_text(canvas, layout, colors, weather.conditions, "conditions") __render_weather_text(canvas, layout, colors, weather.temperature_string(), "temperature") __render_weather_text(canvas, layout, colors, weather.wind_speed_string(), "wind_speed") diff --git a/requirements.txt b/requirements.txt index 50f84928..3f95f664 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,17 +1,6 @@ feedparser==6.0.10 MLB_StatsAPI>=1.6.1 -# PIL is affected by CVE-2023-4863 -# https://nvd.nist.gov/vuln/detail/CVE-2023-4863 -# -# The vulnerability is patched in Pillow >= 10.0.1. This version does not support Python 3.7 due to this version being end-of-life. -# Python 3.7.3 is the default Python version for Raspbian / Raspberry Pi OS, and upgrading Python versions is difficult for non-technical users. -# -# Therefore, addressing the CVE at this time would be a breaking change for most users without an easy upgrade path to Python 3.8+. -# -# Dependabot PR: -# https://github.com/MLB-LED-Scoreboard/mlb-led-scoreboard/pull/502 -# -# Pillow==9.3.1 +Pillow>=10.0.1 pyowm==3.3.0 RGBMatrixEmulator>=0.8.4 tzlocal==4.2