AUR (en) - icecat

Search Criteria

Enter search criteria

Search by

Keywords

Out of Date

Sort by

Sort order

Per page

Package Details: icecat 128.12.0-3

Package Actions

Git Clone URL:	https://aur.archlinux.org/icecat.git (read-only, click to copy)
Package Base:	icecat
Description:	GNU version of the Firefox ESR browser
Upstream URL:	https://git.savannah.gnu.org/cgit/gnuzilla.git
Keywords:	browser esr gnuzilla web
Licenses:	MPL-2.0
Submitter:	None
Maintainer:	figue (xiota)
Last Packager:	xiota
Votes:	251
Popularity:	0.58
First Submitted:	2007-12-09 10:12 (UTC)
Last Updated:	2025-07-11 02:08 (UTC)

Dependencies (49)

dbus (dbus-git^AUR, dbus-selinux^AUR)
ffmpeg (ffmpeg-nvcodec-11-1-git^AUR, ffmpeg-cuda^AUR, ffmpeg-ffplayout^AUR, ffmpeg-headless^AUR, ffmpeg-amd-full-git^AUR, ffmpeg-amd-full^AUR, ffmpeg-obs^AUR, ffmpeg-libfdk_aac^AUR, ffmpeg-decklink^AUR, ffmpeg-full^AUR, ffmpeg-full-git^AUR, ffmpeg-git^AUR)
gtk3 (gtk3-no_deadkeys_underline^AUR, gtk3-classic^AUR, gtk3-classic-xfce^AUR, gtk3-patched-filechooser-icon-view^AUR)
libevent (libevent-git^AUR)
libjpeg (mozjpeg-git^AUR, mozjpeg^AUR, libjpeg-turbo-git^AUR, libjpeg-turbo)
libpulse (pulseaudio-dummy^AUR, libpulse-git^AUR)
libvpx.so (libvpx-full-git^AUR, libvpx-git^AUR, libvpx1.10^AUR, libvpx1.7^AUR, lib32-libvpx, lib32-libvpx1.3, libvpx, libvpx1.3)
libwebp.so (libwebp0.5^AUR, lib32-libwebp, libwebp)
libxss
libxt
mime-types (mailcap)
nspr (nspr-hg^AUR)
nss (nss-hg^AUR)
ttf-font (neuropol-ttf^AUR, ttf-win7-fonts^AUR, ttf-ms-win8^AUR, ttf-ms-win8-arabic^AUR, ttf-ms-win8-hebrew^AUR, ttf-ms-win8-sea^AUR, ttf-ms-win8-indic^AUR, ttf-ms-win8-japanese^AUR, ttf-ms-win8-korean^AUR, ttf-ms-win8-zh_cn^AUR, ttf-ms-win8-zh_tw^AUR, ttf-ms-win8-thai^AUR, ttf-ms-win8-other^AUR, ttf-kids^AUR, ttf-liberation-sans-narrow^AUR, ttf-cavafy-script^AUR, ttf-ms-fonts^AUR, ttf-dejavu-ib^AUR, ttf-zelda^AUR, ttf-oxygen^AUR, ttf-oxygen-gf^AUR, ttf-share-gf^AUR, ttf-gost^AUR, otf-inconsolata-dz^AUR, ttf-d2coding^AUR, ttf-agave^AUR, ttf-caracteres^AUR, ttf-cuprum^AUR, ttf-autour-one^AUR, ttf-impallari-milonga^AUR, ttf-impallari-miltonian^AUR, ttf-clarity-city^AUR, ttf-ms-win10^AUR, ttf-ms-win10-japanese^AUR, ttf-ms-win10-korean^AUR, ttf-ms-win10-sea^AUR, ttf-ms-win10-thai^AUR, ttf-ms-win10-zh_cn^AUR, ttf-ms-win10-zh_tw^AUR, ttf-ms-win10-other^AUR, ttf-win10^AUR, ttf-bmono^AUR, ttf-weblysleekui^AUR, ttf-dejavu-emojiless^AUR, ttf-lucida-fonts^AUR, ttf-juisee^AUR, ttf-ms-win10-auto^AUR, ttf-karla^AUR, noto-fonts-lite^AUR, ttf-ibm-plex-sans-sc^AUR, noto-fonts-variable-lite^AUR, noto-fonts-latin-greek-cyrillic^AUR, ttf-ms-win11^AUR, ttf-ms-win11-japanese^AUR, ttf-ms-win11-korean^AUR, ttf-ms-win11-sea^AUR, ttf-ms-win11-thai^AUR, ttf-ms-win11-zh_cn^AUR, ttf-ms-win11-zh_tw^AUR, ttf-ms-win11-other^AUR, ttf-plemoljp-bin^AUR, ttf-plemoljp^AUR, ttf-ms-win11-auto^AUR, ttf-xo-fonts^AUR, ttf-pt-astra-sans^AUR, ttf-pt-astra-serif^AUR, ttf-pt-mono^AUR, ttf-pt-root_ui^AUR, ttf-pt-sans^AUR, ttf-pt-serif^AUR, ttf-pt-astra-fact^AUR, ttf-noto-sans-vf^AUR, ttf-noto-serif-vf^AUR, ttf-noto-sans-mono-vf^AUR, apple-fonts^AUR, ttf-shanggu^AUR, ttf-paratype^AUR, gnu-free-fonts, noto-fonts, ttf-bitstream-vera, ttf-croscore, ttf-dejavu, ttf-droid, ttf-ibm-plex, ttf-input, ttf-input-nerd, ttf-liberation, ttf-roboto)
zlib (zlib-git^AUR, zlib-ng-compat-git^AUR, zlib-ng-compat)
cargo (rust-nightly-bin^AUR, rust-git^AUR, rust-beta-bin^AUR, rustup-stub^AUR, rustup-git^AUR, rust, rustup) (make)
cbindgen (make)
clang (llvm-git^AUR, clang-minimal-git^AUR, clang17-bin^AUR) (make)
diffutils (make)
dump_syms (dump_syms-git^AUR) (make)
Show 29 more dependencies...

Required by (1)

icecat-arkenfox-autoconfig

Sources (2)

Pinned Comments

xiota commented on 2024-02-26 07:32 (UTC) (edited on 2025-07-20 23:15 (UTC) by xiota)

Description of build options and defaults. See PKGBUILD for current list.

_build_save_source (true) – save tarball of patched sources
_build_repatch (false) – discard previously saved tarball
_build_pgo (true) – enable profile guided optimization; ~20% better benchmarks, 3× build time
_build_pgo_reuse (try) – reuse previously generated profile
_build_pgo_xvfb (true) – use Xvfb for profiling, otherwise, use xwayland-run
_build_lto (false) – use link-time optimization (LTO); disabling may prevent spurious crashes
_build_system_libs (true) – use system libraries
_build_limit_cores (false) – limit parallelization based on memory and core availability

Examples of use:

_build_pgo=false makepkg -Csr
extra-x86_64-build -- -- _build_limit_cores=true
_build_pgo_xvfb=false yay icecat # usage with AUR helpers may vary

Latest Comments

« First ‹ Previous 1 2 3 4 5 6 7 .. 88 Next › Last »

impulse commented on 2025-06-10 12:41 (UTC) (edited on 2025-06-10 12:46 (UTC) by impulse)

WARNING: This package is insecure (last updated: 2024-11-30), Must be updated to: 115.24.0 which Gnuzilla did on 2025-05-26. It has patches for all vulns below. many critical CVE's apply here: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/

CVSS scores from: https://nvd.nist.gov/

Mozilla: "Critical" severity vulns "not fixed" for 115.18.0:

CVE-2025-2857 (10.0 CRITICAL): Incorrect handle could lead to sandbox escapes

CVE-2025-4918 (7.5 HIGH): Out-of-bounds access when resolving Promise objects

CVE-2025-4919 (8.8 HIGH): Out-of-bounds access when optimizing linear sums

CVE-2024-43097 (7.8 HIGH): Overflow when growing an SkRegion's RunArray

MFSA-TMP-2025-0001 (Still PRIVATE): Double-free in libvpx encoder

(it is an exploitable memory bug in the (VP8/VP9) Video Encoder through WebRTC, based on the little said about it, its likely very severe, maybe not as much as CVE-2025-2857)

Mozilla: "High" Severity Vulns "not fixed" for 115.18.0:

CVE-2025-1009 (9.8 CRITICAL): Use-after-free in XSLT

CVE-2025-1010 (NVD: 8.8 HIGH, CISA:ADP: 9.8 CRITICAL): Use-after-free in Custom Highlight

CVE-2025-1016 (9.8 CRITICAL): Memory safety bugs fixed in Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 115.20, and Thunderbird 128.7

""" Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. """

Note: although the report does not specify 115.18.0 looking at the reports, some have a wontfix, so i would assume this version is impacted too. https://nvd.nist.gov/vuln/detail/CVE-2025-1016

I won't list the moderate-low ones here due to time constraints, but you get the idea.

I tried to submit a deletion request for security reasons, Reason:"Package was flagged OoD two days ago, give the maintainers some time.", However i am going off of upstream update, not upon user report (which can be weeks after) because of the unique nature of web, web browsers are one of the most security sensitive user level apps as its a program that runs arbitrary code from the internet, on your computer, albeit in a sandbox, but they only work if they get patches.

Usually i wouldn't be concerned and its all community based, someones free time right? I respect and appreciate those who maintain packages in their free time, i maintain some myself.

My only concern is with crucial software, people use often and has a high attack surface, its very important we work to ensure things don't go out of date.

Advice: unpin the version so its dynamic, lean on PGP sig's for extra build security.

Hope this helps, James Clarke

impulse commented on 2025-06-04 15:11 (UTC) (edited on 2025-06-04 15:12 (UTC) by impulse)

SECURITY WARNING: PLEASE DO NOT USE THIS PACKAGE, until it is updated.

Use icecat-bin instead, which is up-to-date to Gnuzilla master at time of writing (4th of June 2025).

See here to keep up-to-date with official Mozilla security advisories: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/

micwoj92 commented on 2025-03-05 20:25 (UTC)

Also probably can be built using newer clang now.

micwoj92 commented on 2025-03-05 20:24 (UTC)

@xiota, did you try this approach? https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=seamonkey#n116

xiota commented on 2025-01-14 07:49 (UTC) (edited on 2025-02-10 04:23 (UTC) by xiota)

2025-02-10: Planning to try again during upcoming week, but expecting future 115.x versions to be unbuildable on current Arch systems because incompatible Clang and Python.

2025-01-20: Mach seems to ignore aur/python312, and clang/llvm 17 can't be built because 2to3 is missing.

2025-01-14: Will take a while to figure out how to get this to build after recent Python update.

kreijstal commented on 2025-01-13 07:27 (UTC)

    )
  File "/home/kreijstal/.cache/yay/icecat/src/icecat-115.18.0/tools/esmify/mach_commands.py", line 18, in path_sep_to_native
    return pathlib.os.sep.join(path_str.split("/"))
           ^^^^^^^^^^
AttributeError: module 'pathlib' has no attribute 'os'
==> FEHLER: Ein Fehler geschah in build().
    Breche ab...
 -> Fehler beim Erstellen: icecat-exit status 4
 -> Die folgenden Pakete konnten nicht installiert werden. Ein manueller Eingriff ist erforderlich:
icecat - exit status 4

python 3.13:

kreijstal@kreijstalnuc:~/git$ python
Python 3.13.1 (main, Dec  4 2024, 18:05:56) [GCC 14.2.1 20240910] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pathlib
>>> pathlib.os
Traceback (most recent call last):
  File "<python-input-1>", line 1, in <module>
    pathlib.os
AttributeError: module 'pathlib' has no attribute 'os'
>>>