@ponchale Rather than fixing CVE-2024-9680, you are wasting time arguing. Feel free to flag when there is a new release so that the notice can be unpinned and the package updated.
Update: Issue fixed in 11.4.1, released 2024-10-31.
Search Criteria
Package Details: midori 11.4.3-1
Package Actions
| Git Clone URL: | https://aur.archlinux.org/midori.git (read-only, click to copy) |
|---|---|
| Package Base: | midori |
| Description: | Web browser based on Floorp |
| Upstream URL: | https://github.com/goastian/midori-desktop |
| Licenses: | MPL-2.0 |
| Submitter: | polyzen |
| Maintainer: | xiota |
| Last Packager: | xiota |
| Votes: | 1 |
| Popularity: | 0.065961 |
| First Submitted: | 2024-03-10 01:44 (UTC) |
| Last Updated: | 2024-11-03 17:36 (UTC) |
Dependencies (48)
- dbus (dbus-gitAUR, dbus-selinuxAUR)
- ffmpeg (ffmpeg-nvcodec-11-1-gitAUR, ffmpeg-amd-full-gitAUR, ffmpeg-cudaAUR, ffmpeg-full-gitAUR, ffmpeg-gitAUR, ffmpeg-fullAUR, ffmpeg-decklinkAUR, ffmpeg-headlessAUR, ffmpeg-amd-fullAUR, ffmpeg-libfdk_aacAUR, ffmpeg-obsAUR, ffmpeg-ffplayoutAUR)
- gtk3 (gtk3-no_deadkeys_underlineAUR, gtk3-classicAUR, gtk3-classic-xfceAUR, gtk3-patched-filechooser-icon-viewAUR)
- libevent (libevent-gitAUR)
- libjpeg (mozjpeg-gitAUR, libjpeg-turbo-gitAUR, mozjpegAUR, libjpeg-turbo)
- libpulse (pulseaudio-dummyAUR, libpulse-gitAUR)
- libvpx.so (libvpx-full-gitAUR, libvpx-gitAUR, lib32-libvpx, lib32-libvpx1.3, libvpx, libvpx1.3)
- libwebp.so (lib32-libwebp, libwebp)
- libxss
- libxt
- mime-types (mailcap)
- nspr (nspr-hgAUR)
- nss (nss-hgAUR)
- pipewire (pipewire-gitAUR, pipewire-full-gitAUR)
- ttf-font (neuropol-ttfAUR, ttf-win7-fontsAUR, ttf-ms-win8AUR, ttf-ms-win8-arabicAUR, ttf-ms-win8-hebrewAUR, ttf-ms-win8-seaAUR, ttf-ms-win8-indicAUR, ttf-ms-win8-japaneseAUR, ttf-ms-win8-koreanAUR, ttf-ms-win8-zh_cnAUR, ttf-ms-win8-zh_twAUR, ttf-ms-win8-thaiAUR, ttf-ms-win8-otherAUR, ttf-kidsAUR, ttf-liberation-sans-narrowAUR, ttf-cavafy-scriptAUR, ttf-ms-fontsAUR, ttf-dejavu-ibAUR, ttf-zeldaAUR, ttf-oxygenAUR, ttf-oxygen-gfAUR, ttf-share-gfAUR, ttf-gostAUR, otf-inconsolata-dzAUR, ttf-d2codingAUR, ttf-agaveAUR, ttf-caracteresAUR, ttf-cuprumAUR, ttf-autour-oneAUR, ttf-impallari-milongaAUR, ttf-impallari-miltonianAUR, ttf-clarity-cityAUR, ttf-ms-win10AUR, ttf-ms-win10-japaneseAUR, ttf-ms-win10-koreanAUR, ttf-ms-win10-seaAUR, ttf-ms-win10-thaiAUR, ttf-ms-win10-zh_cnAUR, ttf-ms-win10-zh_twAUR, ttf-ms-win10-otherAUR, ttf-win10AUR, ttf-bmonoAUR, ttf-pt-astra-factAUR, ttf-weblysleekuiAUR, ttf-pt-astra-sansAUR, ttf-pt-astra-serifAUR, ttf-pt-sansAUR, ttf-pt-serifAUR, ttf-pt-monoAUR, ttf-pt-root_uiAUR, ttf-xo-fontsAUR, ttf-paratypeAUR, ttf-plemoljp-binAUR, ttf-dejavu-emojilessAUR, noto-fonts-variable-liteAUR, ttf-lucida-fontsAUR, ttf-plemoljpAUR, ttf-juiseeAUR, ttf-ms-win10-autoAUR, ttf-karlaAUR, noto-fonts-latin-greek-cyrillicAUR, apple-fontsAUR, ttf-ms-win11-autoAUR, ttf-ms-win10-cdnAUR, noto-fonts-liteAUR, ttf-noto-sans-vfAUR, ttf-noto-serif-vfAUR, ttf-noto-sans-mono-vfAUR, ttf-ibm-plex-sans-scAUR, ttf-ms-win11AUR, ttf-ms-win11-japaneseAUR, ttf-ms-win11-koreanAUR, ttf-ms-win11-seaAUR, ttf-ms-win11-thaiAUR, ttf-ms-win11-zh_cnAUR, ttf-ms-win11-zh_twAUR, ttf-ms-win11-otherAUR, gnu-free-fonts, noto-fonts, ttf-bitstream-vera, ttf-croscore, ttf-dejavu, ttf-droid, ttf-ibm-plex, ttf-input, ttf-input-nerd, ttf-liberation)
- zlib (zlib-ng-compat-gitAUR, zlib-gitAUR, zlib-ng-compat)
- cargo (rustup-gitAUR, rust-nightly-binAUR, rust-gitAUR, rust-beta-binAUR, rustup-stubAUR, rust, rustup) (make)
- cbindgen (make)
- clang (llvm-rocm-gitAUR, llvm-gitAUR, clang-minimal-gitAUR, clang17-binAUR) (make)
- diffutils (make)
- dump_syms (dump_syms-gitAUR) (make)
- git (git-gitAUR, git-glAUR) (make)
- imake (make)
- inetutils (inetutils-gitAUR, busybox-coreutilsAUR) (make)
- jackAUR (jack2-gitAUR, pipewire-jack-gitAUR, pipewire-full-jack-gitAUR, jack2, pipewire-jack) (make)
- lld (llvm-rocm-gitAUR, llvm-gitAUR) (make)
- llvm (llvm-rocm-gitAUR, llvm-gitAUR, llvm-minimal-gitAUR) (make)
- mercurial (mercurial-hgAUR, mercurial-stable-hgAUR) (make)
- mesa (mesa-minimal-gitAUR, mesa-gitAUR, mesa-wsl2-gitAUR, amdonly-gaming-mesa-gitAUR, mesa-amd-bc250AUR, mesa-amber) (make)
- nasm (nasm-gitAUR) (make)
- nodejs (nodejs-lts-fermiumAUR, nodejs-gitAUR, python-nodejs-wheelAUR, nodejs-lts-hydrogen, nodejs-lts-iron) (make)
- python (python37AUR, python311AUR, python310AUR) (make)
- python-setuptools (make)
- unzip (unzip-natspecAUR, unzip-zstdAUR) (make)
- wasi-compiler-rt (make)
- wasi-libc (wasi-libc-gitAUR) (make)
- wasi-libc++ (make)
- wasi-libc++abi (make)
- weston (weston-gitAUR) (make)
- wlheadless-run (xwayland-run-gitAUR) (make)
- xorg-xwayland (xorg-xwayland-gitAUR, xorg-xwayland-hidpi-xpropAUR, xorg-xwayland-bug865-issue1578AUR) (make)
- yasm (yasm-gitAUR) (make)
- zip (zip-natspecAUR) (make)
- hunspell-dictionary (hunspell-lbAUR, hunspell-be-taraskAUR, hunspell-de, hunspell-el, hunspell-en_au, hunspell-en_ca, hunspell-en_gb, hunspell-en_us, hunspell-es_any, hunspell-es_ar, hunspell-es_bo, hunspell-es_cl, hunspell-es_co, hunspell-es_cr, hunspell-es_cu, hunspell-es_do, hunspell-es_ec, hunspell-es_es, hunspell-es_gt, hunspell-es_hn, hunspell-es_mx, hunspell-es_ni, hunspell-es_pa, hunspell-es_pe, hunspell-es_pr, hunspell-es_py, hunspell-es_sv, hunspell-es_uy, hunspell-es_ve, hunspell-fr, hunspell-he, hunspell-hu, hunspell-it, hunspell-nl, hunspell-pl, hunspell-ro, hunspell-ru) (optional) – Spell checking
- libnotify (libnotify-gitAUR) (optional) – Notification integration
- networkmanager (networkmanager-gitAUR, networkmanager-iwdAUR) (optional) – Location detection via available WiFi networks
- speech-dispatcher (speech-dispatcher-gitAUR) (optional) – Text-to-Speech
- xdg-desktop-portal (xdg-desktop-portal-gitAUR) (optional) – Screensharing with Wayland
Required by (14)
- remmina-plugin-url (optional)
- rofi-theme-android-1080p (optional)
- rofi-theme-android-720p (optional)
- rofi-theme-applet-1080p (optional)
- rofi-theme-applet-720p (optional)
- rofi-theme-fonts (optional)
- rofi-theme-launcher-1080p (optional)
- rofi-theme-launcher-720p (optional)
- rofi-theme-menu-1080p (optional)
- rofi-theme-menu-720p (optional)
- rofi-theme-powermenu-1080p (optional)
- rofi-theme-powermenu-720p (optional)
- rofi-theme-used (optional)
- webui-aria2-git (optional)
Sources (4)
xiota commented on 2024-10-11 17:07 (UTC) (edited on 2024-10-31 15:16 (UTC) by xiota)
ponchale commented on 2024-10-11 14:40 (UTC)
I am aware of the times I am part of the Midori team, but if you are not going to be impartial in your work of packaging, please relieve your function, we do not tell you how to do your job, respect ours, Midori was 4 months without updating due to the strategy of our entire ecosystem polishing VPN, search engine etc it was not neglected we were working passively on it, Now the activity of updates has returned, so I thank you for maintaining your partial position.
If you decided to package Midori to make passive aggressive comments I appreciate you relieving the function, someone neutral you want to contribute, all projects even Floorp has lasted weeks many times without a commit that does not mean that it has been abandoned or will not be updated.
Thank you.
xiota commented on 2024-10-11 14:27 (UTC)
@ponchale There are new Firefox ESR releases every month with security updates, yet there was a four-month gap between the most recent Midori releases.
"There have been "reports of [CVE-2024-9680] being exploited in the wild." Waiting an indefinite amount of time for it to be fixed is not in users' best interests.
ponchale commented on 2024-10-11 14:10 (UTC)
Your impartiality as a packager is evident, Midori is being updated, take care of the packaging and we take care of the development of the browser.
xiota commented on 2024-10-11 14:04 (UTC) (edited on 2024-10-31 15:14 (UTC) by xiota)
At the time of this writing, Midori has not been updated for CVE-2024-9680. There have been "reports of this vulnerability being exploited in the wild."
Update: Fixed in 38bb05d, included in release 11.4.1.
xiota commented on 2024-10-11 13:53 (UTC) (edited on 2024-10-11 14:03 (UTC) by xiota)
@BuZZ-dEE You have to remove conflicting packages manually. Don't use --noconfirm. That said:
- Package it flagged. Wait until after it's updated before building.
- Try building packages in a clean chroot before reporting problems.
- Consider using Floorp. See CVE-2024-9680
BuZZ-dEE commented on 2024-10-11 12:49 (UTC) (edited on 2024-10-11 13:26 (UTC) by BuZZ-dEE)
Conflicts during install.
paru -S --noconfirm midori
:: Resolving dependencies...
:: Calculating conflicts...
:: Calculating inner conflicts...
:: Conflicts found:
rustup: rust (cargo) rust (rustfmt) rust rust (cargo) rust (rustfmt)
:: Conflicting packages will have to be confirmed manually
error: can not install conflicting packages with --noconfirm
xiota commented on 2024-05-18 08:23 (UTC)
@saltedcoffii xwayland-run is a makedep. It is not used during runtime. It is used to profile the binary to improve runtime performance (PGO).
There are variables at the beginning of the PKGBUILD you can edit to alter build parameters.
saltedcoffii commented on 2024-05-14 05:03 (UTC)
Hi! Please add xwayland-run as an optional dependency rather than a required dependency for users that do not use wayland.
Thank you!
ozwigh commented on 2024-04-29 05:51 (UTC)
Build failed with ModuleNotFoundError: No module named 'distutils' 'cause of "Of note, the distutils package has been removed from the standard library." (https://docs.python.org/3/whatsnew/3.12.html)
Pinned Comments
xiota commented on 2024-03-19 12:30 (UTC) (edited on 2024-05-18 08:24 (UTC) by xiota)
Midori 11.x.y is based on Floorp.
For Midori 9.x, based on WebKit, use
PKGBUILD.midori-classic.If you have problems building, try building in a clean chroot.
Some options are available:
_build_pgo=false makepkg– Build without PGO. Faster compilation, but reduced performance._build_pgo_reuse=false makepkg– Make a new profile. Can delete the old profile for similar effect._build_pgo_xvfb=true makepkg– Usexvfbfor profiling.This package reuses the previously created PGO profile to reduce rebuild times while retaining most of the performance benefit of PGO. Generate a new profile when:
Avoid flagging and commenting at the same time for the same issue.