I already had mozilla-firefox-bin-1.0 installed. I saw the security announcement so I tried to update to 1.0.1. I emerged sync and it told me to update portage. I emerged portage and then emerged mozilla-firefox-bin-1.0.1. I started up firefox but help -> about and --version both told me I was still running version 1.0. I poked around and found that the version running was under /usr/lib/MozillaFirefox/ and the files there dated back from when I had installed version 1.0. I am currently working on manually cleaning this up. The danger is that someone can think they upgraded and got the security patches but actually they are still running the old version. This thread has more details of my poking around: http://forums.gentoo.org/viewtopic.php?p=2155766 I listed this bug as critical because if people just follow the instructions then portage tells them they have updated firefox-bin but they are still running the older version without the security fixes. Reproducible: Didn't try Steps to Reproduce: 1. emerge mozilla-firefox-bin (version 1.0 under older portage) 2. emerge sync; emerge portage 3. emerge mozilla-firefox-bin (version 1.0.1 under newer portage) Actual Results: $ firefox --version Mozilla Firefox 1.0, Copyright (c) 2004 mozilla.org Expected Results: $ firefox --version Mozilla Firefox 1.0.1, Copyright (c) 2004 mozilla.org emerge info Portage 2.0.51.19 (default-linux/x86/2004.0, gcc-3.3.2, glibc-2.3.2-r9, 2.4.22_pre2-gss i686) ================================================================= System uname: 2.4.22_pre2-gss i686 Intel(R) Pentium(R) 4 Mobile CPU 1.60GHz Gentoo Base System version 1.4.3.13 Python: dev-lang/python-2.2.3-r1,dev-lang/python-2.3.3 [2.3.3 (#1, Feb 26 2004, 17:50:12)] distcc 2.9 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] dev-lang/python: 2.2.3-r1, 2.3.3 sys-devel/autoconf: 2.58-r1 sys-devel/automake: 1.7.7 sys-devel/binutils: 2.14.90.0.7-r4 sys-devel/libtool: 1.4.3-r3 virtual/os-headers: 2.4.21, 2.4.19-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-march=pentium4 -Os -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.1/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" CXXFLAGS="-march=pentium4 -Os -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms" GENTOO_MIRRORS="http://gentoo.mirrors.pair.com/ http://ftp.uni-erlangen.de/pub/mirrors/gentoo http://gentoo.seren.com/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="x86 X aalib alsa apache2 apm arts avi bash-completion berkdb bitmap-fonts cdr crypt cups curl directfb dvd emacs emboss encode esd ethereal f77 fam fbcon flac font-server foomaticdb fortran gd gdbm ggi gif gpm gtk2 imagemagick imlib ipv6 java jikes jpeg junit kde libwww lids lirc mad mmx motif mozilla mpeg mule mysql ncurses oav oggvorbis opengl oss pam pcmcia pda pdflib perl pic plotutils png pnp ppds python qt quicktime readline ruby sdl slang speex spell sse ssl svga tcltk tcpd tetex tiff truetype truetype-fonts type1-fonts usb wmf xml xml2 xmms xv zlib" Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS
I fixed the problem on my system by doing the following: # emerge -c mozilla-firefox-bin # mv /usr/lib/MozillaFirefox /usr/lib/old.MozillaFire # rm /usr/bin/firefox* # emerge mozilla-firefox-bin
Strange... Theorically it downloads and installs the right version... Can someone else reproduce that ? CCing Mozilla team
WORKSFORME here Jim, mozilla-firefox-bin wont touch any files in /usr/lib, it installs to /opt, so i guess you had installed mozilla-firefox...
Yes, you are right. I had forgotten that I did install mozilla-firefox. I first installed mozilla-firefox-bin-1.0 but then something didn't work right, maybe Java support or something. So I had to fiddle with some USE flags and then I emerged the source code version of firefox. Clearly there is some pilot error here, which is good in the sense that only people who emerge the bin 1.0.1 version with the source code 1.0 version already installed will have this problem. But isn't it still a problem? Should portage require that the user have a perfect memory of all of the packages that have been emerged and the implications these previous packages have on the new packages? I don't think it is right for portage to tell me that the binary of version 1.0.1 is installed and then silently fail to actually upgrade the version of firefox I am using. Wouldn't it be better to either a) actually update the firefox I use or b) give me a warning telling me why it didn't do the update?
Probably, but it's no longer a security issue :) Please file another bug (assigned to mozilla team) if you think mozilla-firefox-bin should block mozilla-firefox more effectively.