From 381a072f6333945f64226c3df8be2cad5bd91b2e Mon Sep 17 00:00:00 2001 From: pawptart Date: Wed, 4 Oct 2023 00:31:59 -0400 Subject: [PATCH] Disable Pillow until upgrade path can be found --- main.py | 26 ++++++++++++++++++++------ renderers/offday.py | 15 +++++++++++---- requirements.txt | 13 ++++++++++++- 3 files changed, 43 insertions(+), 11 deletions(-) diff --git a/main.py b/main.py index 05aece94..d0e9b99e 100755 --- a/main.py +++ b/main.py @@ -1,33 +1,47 @@ import sys from data.screens import ScreenType +import debug if sys.version_info <= (3, 5): - print("Error: Please run with python3") + debug.error("Please run with python3") sys.exit(1) import statsapi statsapi_version = tuple(map(int, statsapi.__version__.split("."))) if statsapi_version < (1, 5, 1): - print("Error: We require MLB-StatsAPI 1.5.1 or higher. You may need to re-run install.sh") + debug.error("We require MLB-StatsAPI 1.5.1 or higher. You may need to re-run install.sh") sys.exit(1) elif statsapi_version < (1, 6, 1): - print("Warning: We recommend MLB-StatsAPI 1.6.1 or higher. You may want to re-run install.sh") + debug.warning("We recommend MLB-StatsAPI 1.6.1 or higher. You may want to re-run install.sh") import logging import os import threading import time -from PIL import Image +# TODO: This code addresses CVE-2023-4863 in Pillow < 10.0.1, which requires Python 3.8+ +# See requirements.txt for rationale. +try: + from PIL import Image + + pil_version = tuple(map(int, Image.__version__.split("."))) + if pil_version < (10, 0, 1): + debug.warning(f"Attempted to load an insecure PIL version ({Image.__version__}). We require PIL 10.0.1 or higher.") + + raise ModuleNotFoundError + + PIL_LOADED = True +except: + debug.warning("PIL failed to load -- images will not be displayed.") + PIL_LOADED = False # Important! Import the driver first to initialize it, then import submodules as needed. import driver from driver import RGBMatrix, __version__ from utils import args, led_matrix_options -import debug from data import Data from data.config import Config from renderers.main import MainRenderer @@ -60,7 +74,7 @@ def main(matrix, config_base): # MLB image disabled when using renderer, for now. # see: https://github.com/ty-porter/RGBMatrixEmulator/issues/9#issuecomment-922869679 - if os.path.exists(logo) and driver.is_hardware(): + if os.path.exists(logo) and driver.is_hardware() and PIL_LOADED: logo = Image.open(logo) matrix.SetImage(logo.convert("RGB")) logo.close() diff --git a/renderers/offday.py b/renderers/offday.py index fd400c38..2bafab9a 100644 --- a/renderers/offday.py +++ b/renderers/offday.py @@ -2,7 +2,13 @@ import time -import PIL.Image +try: + from PIL import Image + + PIL_LOADED = True +except: + + PIL_LOADED = False from data.time_formats import TIME_FORMAT_12H from data.config.color import Color @@ -38,9 +44,10 @@ def __render_clock(canvas, layout, colors, time_format): def __render_weather(canvas, layout, colors, weather): if weather.available(): - image_file = weather.icon_filename() - weather_icon = PIL.Image.open(image_file) - __render_weather_icon(canvas, layout, colors, weather_icon) + if PIL_LOADED: + image_file = weather.icon_filename() + weather_icon = Image.open(image_file) + __render_weather_icon(canvas, layout, colors, weather_icon) __render_weather_text(canvas, layout, colors, weather.conditions, "conditions") __render_weather_text(canvas, layout, colors, weather.temperature_string(), "temperature") __render_weather_text(canvas, layout, colors, weather.wind_speed_string(), "wind_speed") diff --git a/requirements.txt b/requirements.txt index 7d58f280..50f84928 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,6 +1,17 @@ feedparser==6.0.10 MLB_StatsAPI>=1.6.1 -Pillow==9.3.0 +# PIL is affected by CVE-2023-4863 +# https://nvd.nist.gov/vuln/detail/CVE-2023-4863 +# +# The vulnerability is patched in Pillow >= 10.0.1. This version does not support Python 3.7 due to this version being end-of-life. +# Python 3.7.3 is the default Python version for Raspbian / Raspberry Pi OS, and upgrading Python versions is difficult for non-technical users. +# +# Therefore, addressing the CVE at this time would be a breaking change for most users without an easy upgrade path to Python 3.8+. +# +# Dependabot PR: +# https://github.com/MLB-LED-Scoreboard/mlb-led-scoreboard/pull/502 +# +# Pillow==9.3.1 pyowm==3.3.0 RGBMatrixEmulator>=0.8.4 tzlocal==4.2