Package Details: icecat 115.18.0-1

Git Clone URL: https://aur.archlinux.org/icecat.git (read-only, click to copy)
Package Base: icecat
Description: GNU version of the Firefox ESR browser
Upstream URL: https://git.savannah.gnu.org/cgit/gnuzilla.git
Keywords: browser esr gnuzilla web
Licenses: MPL-2.0
Submitter: None
Maintainer: figue (xiota)
Last Packager: xiota
Votes: 250
Popularity: 0.173151
First Submitted: 2007-12-09 10:12 (UTC)
Last Updated: 2024-11-30 19:41 (UTC)

Dependencies (51)

Sources (10)

Pinned Comments

xiota commented on 2024-02-26 07:32 (UTC) (edited on 2025-05-31 19:23 (UTC) by xiota)

PKGBUILD has been updated. Major changes:

  • Downloads Firefox ESR and localization using the source array. Files are saved for reuse.
  • Saves freshly patched IceCat sources in a tarball for reuse.
  • Saves the PGO profile for reuse.

Notes:

  • Currently requires clang/llvm 17, which has to be built from AUR.
  • Wayland users, consider setting _build_pgo_xvfb=false. This will use xwayland-run for profiling.
  • PGO should work now, but if it doesn't and you're willing to go without, try _build_pgo=false.
  • Running out of RAM? Try adding mk_add_options MOZ_PARALLEL_BUILD=___ around line 350. Pick a value less than number of cores and free RAM in GB. For example, on a system with 8 cores, 64GB total RAM, but only 6 GB free, the value should be set to 4 or 5.
    • If a few people can confirm this is helpful, I will consider adding it as an additional option.
    • Main resource hog seems to be linking libxul.so. Leave a comment if you have a potential solution.

Having problems? Please provide details: processor make and model, number of cores, free -m, full log in pastebin, whether using AUR helper/makepkg/clean chroot, etc.

Latest Comments

1 2 3 4 5 6 .. 87 Next › Last »

xiota commented on 2025-06-10 15:16 (UTC)

@impulse Please do not spam comments any more.

You clearly did not even bother trying to install this package, and do not know how AUR works. I suspect you are not even an Arch Linux user.

Regardless of what the version says, this package is not currently installable.

impulse commented on 2025-06-10 12:49 (UTC) (edited on 2025-06-10 12:55 (UTC) by impulse)

Hi @xiota, thanks for the quick response, one thing to consider is if someone already had icecat installed (no updates could happen), Also, Yea the ESR is old, but 115 ESR is still getting patches from Mozilla, till (September 16, 2025).

The binaries Gnuzilla are not as updated, but from git savanna, it usually reacts to the new upstream ESR patches reasonably (for now).

So IDK.

Maybe unpin the version if you feel like maintaining it, that way the issue is on Gnuzilla/GNU if something goes wrong security wise.

Many thanks (: James Clarke

impulse commented on 2025-06-10 12:41 (UTC) (edited on 2025-06-10 12:46 (UTC) by impulse)

WARNING: This package is insecure (last updated: 2024-11-30), Must be updated to: 115.24.0 which Gnuzilla did on 2025-05-26. It has patches for all vulns below. many critical CVE's apply here: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/

CVSS scores from: https://nvd.nist.gov/

Mozilla: "Critical" severity vulns "not fixed" for 115.18.0:

CVE-2025-2857 (10.0 CRITICAL): Incorrect handle could lead to sandbox escapes

CVE-2025-4918 (7.5 HIGH): Out-of-bounds access when resolving Promise objects

CVE-2025-4919 (8.8 HIGH): Out-of-bounds access when optimizing linear sums

CVE-2024-43097 (7.8 HIGH): Overflow when growing an SkRegion's RunArray

MFSA-TMP-2025-0001 (Still PRIVATE): Double-free in libvpx encoder

(it is an exploitable memory bug in the (VP8/VP9) Video Encoder through WebRTC, based on the little said about it, its likely very severe, maybe not as much as CVE-2025-2857)

Mozilla: "High" Severity Vulns "not fixed" for 115.18.0:

CVE-2025-1009 (9.8 CRITICAL): Use-after-free in XSLT

CVE-2025-1010 (NVD: 8.8 HIGH, CISA:ADP: 9.8 CRITICAL): Use-after-free in Custom Highlight

CVE-2025-1016 (9.8 CRITICAL): Memory safety bugs fixed in Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 115.20, and Thunderbird 128.7

""" Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. """

Note: although the report does not specify 115.18.0 looking at the reports, some have a wontfix, so i would assume this version is impacted too. https://nvd.nist.gov/vuln/detail/CVE-2025-1016

I won't list the moderate-low ones here due to time constraints, but you get the idea.

I tried to submit a deletion request for security reasons, Reason:"Package was flagged OoD two days ago, give the maintainers some time.", However i am going off of upstream update, not upon user report (which can be weeks after) because of the unique nature of web, web browsers are one of the most security sensitive user level apps as its a program that runs arbitrary code from the internet, on your computer, albeit in a sandbox, but they only work if they get patches.

Usually i wouldn't be concerned and its all community based, someones free time right? I respect and appreciate those who maintain packages in their free time, i maintain some myself.

My only concern is with crucial software, people use often and has a high attack surface, its very important we work to ensure things don't go out of date.

Advice: unpin the version so its dynamic, lean on PGP sig's for extra build security.

Hope this helps, James Clarke

xiota commented on 2025-06-04 15:29 (UTC)

@impulse Thanks for the "warning", but not really necessary because this package is currently unbuildable. I'd actually advise against using any version of icecat until it is updated to ESR 128 or later.

impulse commented on 2025-06-04 15:11 (UTC) (edited on 2025-06-04 15:12 (UTC) by impulse)

SECURITY WARNING: PLEASE DO NOT USE THIS PACKAGE, until it is updated.

Use icecat-bin instead, which is up-to-date to Gnuzilla master at time of writing (4th of June 2025).

See here to keep up-to-date with official Mozilla security advisories: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/

xiota commented on 2025-05-31 19:21 (UTC) (edited on 2025-05-31 19:21 (UTC) by xiota)

I'm stuck... Last build attempt, progress ceased, but it continued eating up all available resources until I euthanized it over an hour later. I haven't tried limiting core usage yet.

Posting here in case others want to try or have any ideas. PKGBUILD-icecat-wip

micwoj92 commented on 2025-03-05 20:25 (UTC)

Also probably can be built using newer clang now.

micwoj92 commented on 2025-03-05 20:24 (UTC)

@xiota, did you try this approach? https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=seamonkey#n116