Merge pull request #503 from MLB-LED-Scoreboard/CVE-2023-4863

Disable Pillow until upgrade path can be found

main.py

@@ -1,33 +1,47 @@
 import sys
 
 from data.screens import ScreenType
+import debug
 
 if sys.version_info <= (3, 5):
-    print("Error: Please run with python3")
+    debug.error("Please run with python3")
     sys.exit(1)
 
 import statsapi
 
 statsapi_version = tuple(map(int, statsapi.__version__.split(".")))
 if statsapi_version < (1, 5, 1):
-    print("Error: We require MLB-StatsAPI 1.5.1 or higher. You may need to re-run install.sh")
+    debug.error("We require MLB-StatsAPI 1.5.1 or higher. You may need to re-run install.sh")
     sys.exit(1)
 elif statsapi_version < (1, 6, 1):
-    print("Warning: We recommend MLB-StatsAPI 1.6.1 or higher. You may want to re-run install.sh")
+    debug.warning("We recommend MLB-StatsAPI 1.6.1 or higher. You may want to re-run install.sh")
 
 import logging
 import os
 import threading
 import time
 
-from PIL import Image
+# TODO: This code addresses CVE-2023-4863 in Pillow < 10.0.1, which requires Python 3.8+
+#   See requirements.txt for rationale.
+try:
+    from PIL import Image
+
+    pil_version = tuple(map(int, Image.__version__.split(".")))
+    if pil_version < (10, 0, 1):
+        debug.warning(f"Attempted to load an insecure PIL version ({Image.__version__}). We require PIL 10.0.1 or higher.")
+
+        raise ModuleNotFoundError
+
+    PIL_LOADED = True
+except:
+    debug.warning("PIL failed to load -- images will not be displayed.")
+    PIL_LOADED = False
 
 # Important! Import the driver first to initialize it, then import submodules as needed.
 import driver
 from driver import RGBMatrix, __version__
 from utils import args, led_matrix_options
 
-import debug
 from data import Data
 from data.config import Config
 from renderers.main import MainRenderer
@@ -60,7 +74,7 @@ def main(matrix, config_base):
 
     # MLB image disabled when using renderer, for now.
     # see: https://github.com/ty-porter/RGBMatrixEmulator/issues/9#issuecomment-922869679
-    if os.path.exists(logo) and driver.is_hardware():
+    if os.path.exists(logo) and driver.is_hardware() and PIL_LOADED:
         logo = Image.open(logo)
         matrix.SetImage(logo.convert("RGB"))
         logo.close()

renderers/offday.py

@@ -2,7 +2,13 @@
 
 import time
 
-import PIL.Image
+try:
+    from PIL import Image
+
+    PIL_LOADED = True
+except:
+
+    PIL_LOADED = False
 
 from data.time_formats import TIME_FORMAT_12H
 from data.config.color import Color
@@ -38,9 +44,10 @@ def __render_clock(canvas, layout, colors, time_format):
 
 def __render_weather(canvas, layout, colors, weather):
     if weather.available():
-        image_file = weather.icon_filename()
-        weather_icon = PIL.Image.open(image_file)
-        __render_weather_icon(canvas, layout, colors, weather_icon)
+        if PIL_LOADED:
+            image_file = weather.icon_filename()
+            weather_icon = Image.open(image_file)
+            __render_weather_icon(canvas, layout, colors, weather_icon)
         __render_weather_text(canvas, layout, colors, weather.conditions, "conditions")
         __render_weather_text(canvas, layout, colors, weather.temperature_string(), "temperature")
         __render_weather_text(canvas, layout, colors, weather.wind_speed_string(), "wind_speed")

requirements.txt

@@ -1,6 +1,17 @@
 feedparser==6.0.10
 MLB_StatsAPI>=1.6.1
-Pillow==9.3.0
+# PIL is affected by CVE-2023-4863
+#   https://nvd.nist.gov/vuln/detail/CVE-2023-4863
+# 
+# The vulnerability is patched in Pillow >= 10.0.1. This version does not support Python 3.7 due to this version being end-of-life.
+# Python 3.7.3 is the default Python version for Raspbian / Raspberry Pi OS, and upgrading Python versions is difficult for non-technical users.
+#
+# Therefore, addressing the CVE at this time would be a breaking change for most users without an easy upgrade path to Python 3.8+.
+# 
+# Dependabot PR:
+#   https://github.com/MLB-LED-Scoreboard/mlb-led-scoreboard/pull/502
+#
+# Pillow==9.3.1
 pyowm==3.3.0
 RGBMatrixEmulator>=0.8.4
 tzlocal==4.2