Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 629270 - app-office/openerp: removal
Summary: app-office/openerp: removal
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~3 [noglsa]
Depends on:
Reported: 2017-08-29 11:31 UTC by Michael Orlitzky
Modified: 2018-11-24 23:46 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

openerp-3 (openerp-3,186 bytes, text/plain)
2017-08-29 11:31 UTC, Michael Orlitzky
no flags Details
openerp-confd-3 (openerp-confd-3,38 bytes, text/plain)
2017-08-29 11:32 UTC, Michael Orlitzky
no flags Details
openerp.cfg.3 (openerp.cfg.3,1.08 KB, text/plain)
2017-08-29 11:32 UTC, Michael Orlitzky
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-08-29 11:31:34 UTC
Created attachment 491060 [details]

The latest openerp init script makes its PID file directory writable by the openerp user:

  start() {
      checkpath -q -d -m 0755 -o openerp:openerp /run/openerp

This is a minor security issue, because the "openerp" user can write whatever he wants into that PID file, and then later, root will send a SIGTERM to its contents when he tries to stop the daemon.

The reason that the "checkpath" call exists is a little confusing. Right now, openerp is running with *two* PID files -- one created by start-stop-daemon, and one created by openerp itself. The permissions above are needed for the PID file that openerp creates, but not for the one that start-stop-daemon creates (which is the one that actually gets used). So the solution is to,

  1. Disable the PID file that openerp creates itself.

  2. Move the start-stop-daemon PID file to /run.

  3. Drop the call to checkpath.

  4. Remove the PIDFILE variable from the conf.d file.

I'm attaching a new init script, conf.d file, and openerp.cfg with those changes.

You'll notice that I've also removed the $USER variable from the conf.d file. At the moment, it doesn't need to be there, because changing it doesn't work: the ebuild sets permissions for "openerp", and if you wanted to make the user switchable at runtime, you would have to move that code from the ebuild to the init script.
Comment 1 Michael Orlitzky gentoo-dev 2017-08-29 11:32:01 UTC
Created attachment 491062 [details]
Comment 2 Michael Orlitzky gentoo-dev 2017-08-29 11:32:53 UTC
Created attachment 491064 [details]

The new cfg file is identical to the old one, except I deleted the pidfile line.
Comment 3 Virgil Dupras (RETIRED) gentoo-dev 2018-10-07 20:29:36 UTC
This is badly outdated (hasn't been bumped since the it's in git!), vulnerable, unmaintained. It has a lot of dependencies, probably many of them where openerp is their only revdep. Should we treeclean it?
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-10-07 20:58:11 UTC
Given how many bugs are filed for this package, and that nobody has even bothered to update the maintainer on them, I'd say: yes, please.
Comment 5 Virgil Dupras (RETIRED) gentoo-dev 2018-10-07 21:18:58 UTC
Alright, last-riting app-office/openerp as well as orphans, listed below (all under the python project unmbrella):

Comment 6 Larry the Git Cow gentoo-dev 2018-10-07 21:25:17 UTC
The bug has been referenced in the following commit(s):

commit e9c0bdddcfb6b77ef3d999493a85e286cca0020c
Author:     Virgil Dupras <>
AuthorDate: 2018-10-07 21:23:12 +0000
Commit:     Virgil Dupras <>
CommitDate: 2018-10-07 21:24:39 +0000

    profiles: last-rite app-office/openerp
    Signed-off-by: Virgil Dupras <>

 profiles/package.mask | 8 ++++++++
 1 file changed, 8 insertions(+)
Comment 7 Eddie Chapman 2018-10-19 10:56:54 UTC
As a user of both


without having app-office/openerp installed, I'm wondering what is the possibility of keeping them in the tree for now, albeit without a maintainer?

If a maintainer is required I'll probably volunteer in the future but not now, if no one else wants to. I'd be happy to make a new ebuild now for vatnumber to update it to latest upstream 1.2 and test it, if someone as a proxy can review and commit it. dev-python/pychart is already at latest upstream version.
Comment 8 Virgil Dupras (RETIRED) gentoo-dev 2018-10-19 11:47:02 UTC
No problem, I'll unmask them. Libraries with single revdeps like these often have no other purpose, which is why I last-rited them. If they're used, let's keep them.

It's indeed preferable to adopt them if you want to keep them because orphan libraries like this that are maintained by no one else than the python project are subject to random last-riting.
Comment 9 Larry the Git Cow gentoo-dev 2018-10-19 11:51:21 UTC
The bug has been referenced in the following commit(s):

commit 99126be0a6f47fa0d35cbe6f305afe71366c4d61
Author:     Virgil Dupras <>
AuthorDate: 2018-10-19 11:49:51 +0000
Commit:     Virgil Dupras <>
CommitDate: 2018-10-19 11:49:51 +0000

    profiles: unmask last-rited packages
    pychart and vatnumber are apparently still needed. Cancelling
    Signed-off-by: Virgil Dupras <>

 profiles/package.mask | 2 --
 1 file changed, 2 deletions(-)
Comment 10 Larry the Git Cow gentoo-dev 2018-11-07 12:25:35 UTC
The bug has been referenced in the following commit(s):

commit 976bc8af740fe5b78ae71df52e3ca9ad73800051
Author:     Virgil Dupras <>
AuthorDate: 2018-11-07 12:22:14 +0000
Commit:     Virgil Dupras <>
CommitDate: 2018-11-07 12:25:22 +0000

    app-office/openerp: remove last-rited package
    and orphan dependency.
    Signed-off-by: Virgil Dupras <>

 app-office/openerp/Manifest                    |   2 -
 app-office/openerp/files/openerp               |  22 -----
 app-office/openerp/files/openerp-2             |  23 -----
 app-office/openerp/files/openerp-confd         |   3 -
 app-office/openerp/files/openerp-confd-2       |   3 -
 app-office/openerp/files/openerp.cfg           |  64 -------------
 app-office/openerp/files/openerp.cfg.2         |  65 --------------
 app-office/openerp/files/openerp.logrotate     |   9 --
 app-office/openerp/metadata.xml                |   8 --
 app-office/openerp/openerp-7.0.20140125.ebuild | 119 -------------------------
 app-office/openerp/openerp-8.0.20140125.ebuild | 119 -------------------------
 dev-python/pywebdav/Manifest                   |   1 -
 dev-python/pywebdav/metadata.xml               |  14 ---
 dev-python/pywebdav/pywebdav-0.9.8-r1.ebuild   |  29 ------
 profiles/package.mask                          |   6 --
 15 files changed, 487 deletions(-)