Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable Pillow until upgrade path can be found #503

Merged
merged 1 commit into from
Oct 6, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 20 additions & 6 deletions main.py
Original file line number Diff line number Diff line change
@@ -1,33 +1,47 @@
import sys

from data.screens import ScreenType
import debug

if sys.version_info <= (3, 5):
print("Error: Please run with python3")
debug.error("Please run with python3")
sys.exit(1)

import statsapi

statsapi_version = tuple(map(int, statsapi.__version__.split(".")))
if statsapi_version < (1, 5, 1):
print("Error: We require MLB-StatsAPI 1.5.1 or higher. You may need to re-run install.sh")
debug.error("We require MLB-StatsAPI 1.5.1 or higher. You may need to re-run install.sh")
sys.exit(1)
elif statsapi_version < (1, 6, 1):
print("Warning: We recommend MLB-StatsAPI 1.6.1 or higher. You may want to re-run install.sh")
debug.warning("We recommend MLB-StatsAPI 1.6.1 or higher. You may want to re-run install.sh")

import logging
import os
import threading
import time

from PIL import Image
# TODO: This code addresses CVE-2023-4863 in Pillow < 10.0.1, which requires Python 3.8+
# See requirements.txt for rationale.
try:
from PIL import Image

pil_version = tuple(map(int, Image.__version__.split(".")))
if pil_version < (10, 0, 1):
debug.warning(f"Attempted to load an insecure PIL version ({Image.__version__}). We require PIL 10.0.1 or higher.")

raise ModuleNotFoundError

PIL_LOADED = True
except:
debug.warning("PIL failed to load -- images will not be displayed.")
PIL_LOADED = False

# Important! Import the driver first to initialize it, then import submodules as needed.
import driver
from driver import RGBMatrix, __version__
from utils import args, led_matrix_options

import debug
from data import Data
from data.config import Config
from renderers.main import MainRenderer
Expand Down Expand Up @@ -60,7 +74,7 @@ def main(matrix, config_base):

# MLB image disabled when using renderer, for now.
# see: https://github.com/ty-porter/RGBMatrixEmulator/issues/9#issuecomment-922869679
if os.path.exists(logo) and driver.is_hardware():
if os.path.exists(logo) and driver.is_hardware() and PIL_LOADED:
logo = Image.open(logo)
matrix.SetImage(logo.convert("RGB"))
logo.close()
Expand Down
15 changes: 11 additions & 4 deletions renderers/offday.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,13 @@

import time

import PIL.Image
try:
from PIL import Image

PIL_LOADED = True
except:

PIL_LOADED = False

from data.time_formats import TIME_FORMAT_12H
from data.config.color import Color
Expand Down Expand Up @@ -38,9 +44,10 @@ def __render_clock(canvas, layout, colors, time_format):

def __render_weather(canvas, layout, colors, weather):
if weather.available():
image_file = weather.icon_filename()
weather_icon = PIL.Image.open(image_file)
__render_weather_icon(canvas, layout, colors, weather_icon)
if PIL_LOADED:
image_file = weather.icon_filename()
weather_icon = Image.open(image_file)
__render_weather_icon(canvas, layout, colors, weather_icon)
__render_weather_text(canvas, layout, colors, weather.conditions, "conditions")
__render_weather_text(canvas, layout, colors, weather.temperature_string(), "temperature")
__render_weather_text(canvas, layout, colors, weather.wind_speed_string(), "wind_speed")
Expand Down
13 changes: 12 additions & 1 deletion requirements.txt
Original file line number Diff line number Diff line change
@@ -1,6 +1,17 @@
feedparser==6.0.10
MLB_StatsAPI>=1.6.1
Pillow==9.3.0
# PIL is affected by CVE-2023-4863
# https://nvd.nist.gov/vuln/detail/CVE-2023-4863
#
# The vulnerability is patched in Pillow >= 10.0.1. This version does not support Python 3.7 due to this version being end-of-life.
# Python 3.7.3 is the default Python version for Raspbian / Raspberry Pi OS, and upgrading Python versions is difficult for non-technical users.
#
# Therefore, addressing the CVE at this time would be a breaking change for most users without an easy upgrade path to Python 3.8+.
#
# Dependabot PR:
# https://github.com/MLB-LED-Scoreboard/mlb-led-scoreboard/pull/502
#
# Pillow==9.3.1
pyowm==3.3.0
RGBMatrixEmulator>=0.8.4
tzlocal==4.2