WARNING: This package is insecure (last updated: 2024-11-30), Must be updated to: 115.24.0
which Gnuzilla did on 2025-05-26. It has patches for all vulns below. many critical CVE's apply here:
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
CVSS scores from: https://nvd.nist.gov/
Mozilla: "Critical" severity vulns "not fixed" for 115.18.0
:
CVE-2025-2857 (10.0 CRITICAL): Incorrect handle could lead to sandbox escapes
CVE-2025-4918 (7.5 HIGH): Out-of-bounds access when resolving Promise objects
CVE-2025-4919 (8.8 HIGH): Out-of-bounds access when optimizing linear sums
CVE-2024-43097 (7.8 HIGH): Overflow when growing an SkRegion's RunArray
MFSA-TMP-2025-0001 (Still PRIVATE): Double-free in libvpx encoder
(it is an exploitable memory bug in the (VP8/VP9) Video Encoder through WebRTC, based on the little said about it, its likely very severe, maybe not as much as CVE-2025-2857)
Mozilla: "High" Severity Vulns "not fixed" for 115.18.0
:
CVE-2025-1009 (9.8 CRITICAL): Use-after-free in XSLT
CVE-2025-1010 (NVD: 8.8 HIGH, CISA:ADP: 9.8 CRITICAL): Use-after-free in Custom Highlight
CVE-2025-1016 (9.8 CRITICAL): Memory safety bugs fixed in Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 115.20, and Thunderbird 128.7
""" Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. """
Note: although the report does not specify 115.18.0
looking at the reports, some have a wontfix, so i would assume this version is impacted too.
https://nvd.nist.gov/vuln/detail/CVE-2025-1016
I won't list the moderate-low ones here due to time constraints, but you get the idea.
I tried to submit a deletion request for security reasons, Reason:"Package was flagged OoD two days ago, give the maintainers some time.", However i am going off of upstream update, not upon user report (which can be weeks after) because of the unique nature of web, web browsers are one of the most security sensitive user level apps as its a program that runs arbitrary code from the internet, on your computer, albeit in a sandbox, but they only work if they get patches.
Usually i wouldn't be concerned and its all community based, someones free time right? I respect and appreciate those who maintain packages in their free time, i maintain some myself.
My only concern is with crucial software, people use often and has a high attack surface, its very important we work to ensure things don't go out of date.
Advice: unpin the version so its dynamic, lean on PGP sig's for extra build security.
Hope this helps, James Clarke
Pinned Comments
xiota commented on 2024-02-26 07:32 (UTC) (edited on 2025-05-31 19:23 (UTC) by xiota)
PKGBUILD has been updated. Major changes:
Notes:
_build_pgo_xvfb=false
. This will usexwayland-run
for profiling._build_pgo=false
.mk_add_options MOZ_PARALLEL_BUILD=___
around line 350. Pick a value less than number of cores and free RAM in GB. For example, on a system with 8 cores, 64GB total RAM, but only 6 GB free, the value should be set to 4 or 5.libxul.so
. Leave a comment if you have a potential solution.Having problems? Please provide details: processor make and model, number of cores,
free -m
, full log in pastebin, whether using AUR helper/makepkg/clean chroot, etc.