Package Details: icecat 115.18.0-1

Git Clone URL: https://aur.archlinux.org/icecat.git (read-only, click to copy)
Package Base: icecat
Description: GNU version of the Firefox ESR browser
Upstream URL: https://git.savannah.gnu.org/cgit/gnuzilla.git
Keywords: browser esr gnuzilla web
Licenses: MPL-2.0
Submitter: None
Maintainer: figue (xiota)
Last Packager: xiota
Votes: 250
Popularity: 0.195637
First Submitted: 2007-12-09 10:12 (UTC)
Last Updated: 2024-11-30 19:41 (UTC)

Dependencies (51)

Sources (10)

Pinned Comments

xiota commented on 2024-02-26 07:32 (UTC) (edited on 2025-05-31 19:23 (UTC) by xiota)

PKGBUILD has been updated. Major changes:

  • Downloads Firefox ESR and localization using the source array. Files are saved for reuse.
  • Saves freshly patched IceCat sources in a tarball for reuse.
  • Saves the PGO profile for reuse.

Notes:

  • Currently requires clang/llvm 17, which has to be built from AUR.
  • Wayland users, consider setting _build_pgo_xvfb=false. This will use xwayland-run for profiling.
  • PGO should work now, but if it doesn't and you're willing to go without, try _build_pgo=false.
  • Running out of RAM? Try adding mk_add_options MOZ_PARALLEL_BUILD=___ around line 350. Pick a value less than number of cores and free RAM in GB. For example, on a system with 8 cores, 64GB total RAM, but only 6 GB free, the value should be set to 4 or 5.
    • If a few people can confirm this is helpful, I will consider adding it as an additional option.
    • Main resource hog seems to be linking libxul.so. Leave a comment if you have a potential solution.

Having problems? Please provide details: processor make and model, number of cores, free -m, full log in pastebin, whether using AUR helper/makepkg/clean chroot, etc.

Latest Comments

1 2 3 4 5 6 .. 87 Next › Last »

impulse commented on 2025-06-10 12:41 (UTC) (edited on 2025-06-10 12:46 (UTC) by impulse)

WARNING: This package is insecure (last updated: 2024-11-30), Must be updated to: 115.24.0 which Gnuzilla did on 2025-05-26. It has patches for all vulns below. many critical CVE's apply here: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/

CVSS scores from: https://nvd.nist.gov/

Mozilla: "Critical" severity vulns "not fixed" for 115.18.0:

CVE-2025-2857 (10.0 CRITICAL): Incorrect handle could lead to sandbox escapes

CVE-2025-4918 (7.5 HIGH): Out-of-bounds access when resolving Promise objects

CVE-2025-4919 (8.8 HIGH): Out-of-bounds access when optimizing linear sums

CVE-2024-43097 (7.8 HIGH): Overflow when growing an SkRegion's RunArray

MFSA-TMP-2025-0001 (Still PRIVATE): Double-free in libvpx encoder

(it is an exploitable memory bug in the (VP8/VP9) Video Encoder through WebRTC, based on the little said about it, its likely very severe, maybe not as much as CVE-2025-2857)

Mozilla: "High" Severity Vulns "not fixed" for 115.18.0:

CVE-2025-1009 (9.8 CRITICAL): Use-after-free in XSLT

CVE-2025-1010 (NVD: 8.8 HIGH, CISA:ADP: 9.8 CRITICAL): Use-after-free in Custom Highlight

CVE-2025-1016 (9.8 CRITICAL): Memory safety bugs fixed in Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 115.20, and Thunderbird 128.7

""" Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. """

Note: although the report does not specify 115.18.0 looking at the reports, some have a wontfix, so i would assume this version is impacted too. https://nvd.nist.gov/vuln/detail/CVE-2025-1016

I won't list the moderate-low ones here due to time constraints, but you get the idea.

I tried to submit a deletion request for security reasons, Reason:"Package was flagged OoD two days ago, give the maintainers some time.", However i am going off of upstream update, not upon user report (which can be weeks after) because of the unique nature of web, web browsers are one of the most security sensitive user level apps as its a program that runs arbitrary code from the internet, on your computer, albeit in a sandbox, but they only work if they get patches.

Usually i wouldn't be concerned and its all community based, someones free time right? I respect and appreciate those who maintain packages in their free time, i maintain some myself.

My only concern is with crucial software, people use often and has a high attack surface, its very important we work to ensure things don't go out of date.

Advice: unpin the version so its dynamic, lean on PGP sig's for extra build security.

Hope this helps, James Clarke

xiota commented on 2025-06-04 15:29 (UTC)

@impulse Thanks for the "warning", but not really necessary because this package is currently unbuildable. I'd actually advise against using any version of icecat until it is updated to ESR 128 or later.

impulse commented on 2025-06-04 15:11 (UTC) (edited on 2025-06-04 15:12 (UTC) by impulse)

SECURITY WARNING: PLEASE DO NOT USE THIS PACKAGE, until it is updated.

Use icecat-bin instead, which is up-to-date to Gnuzilla master at time of writing (4th of June 2025).

See here to keep up-to-date with official Mozilla security advisories: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/

xiota commented on 2025-05-31 19:21 (UTC) (edited on 2025-05-31 19:21 (UTC) by xiota)

I'm stuck... Last build attempt, progress ceased, but it continued eating up all available resources until I euthanized it over an hour later. I haven't tried limiting core usage yet.

Posting here in case others want to try or have any ideas. PKGBUILD-icecat-wip

micwoj92 commented on 2025-03-05 20:25 (UTC)

Also probably can be built using newer clang now.

micwoj92 commented on 2025-03-05 20:24 (UTC)

@xiota, did you try this approach? https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=seamonkey#n116

xiota commented on 2025-01-14 07:49 (UTC) (edited on 2025-02-10 04:23 (UTC) by xiota)

2025-02-10: Planning to try again during upcoming week, but expecting future 115.x versions to be unbuildable on current Arch systems because incompatible Clang and Python.

2025-01-20: Mach seems to ignore aur/python312, and clang/llvm 17 can't be built because 2to3 is missing.

2025-01-14: Will take a while to figure out how to get this to build after recent Python update.

kreijstal commented on 2025-01-13 07:27 (UTC) 

    )
  File "/home/kreijstal/.cache/yay/icecat/src/icecat-115.18.0/tools/esmify/mach_commands.py", line 18, in path_sep_to_native
    return pathlib.os.sep.join(path_str.split("/"))
           ^^^^^^^^^^
AttributeError: module 'pathlib' has no attribute 'os'
==> FEHLER: Ein Fehler geschah in build().
    Breche ab...
 -> Fehler beim Erstellen: icecat-exit status 4
 -> Die folgenden Pakete konnten nicht installiert werden. Ein manueller Eingriff ist erforderlich:
icecat - exit status 4

python 3.13:

kreijstal@kreijstalnuc:~/git$ python
Python 3.13.1 (main, Dec  4 2024, 18:05:56) [GCC 14.2.1 20240910] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pathlib
>>> pathlib.os
Traceback (most recent call last):
  File "<python-input-1>", line 1, in <module>
    pathlib.os
AttributeError: module 'pathlib' has no attribute 'os'
>>>

1 2 3 4 5 6 .. 87 Next › Last »