Sunday, September 18, 2022

September patch set for TenFourFox

102 is now the next Firefox Extended Support Release, so it's time for spring cleaning — if you're a resident of the Southern Hemisphere — in the TenFourFox repository. Besides refreshing the maintenance scripts to pull certificate, timezone and HSTS updates from this new source, I also implemented all the relevant security and stability patches from the last gasp of 91ESR (none likely to be exploitable on Power Macs without a direct attack, but many likely to crash them), added an Fx102 user agent choice to the TenFourFox preference pane, updated the ATSUI font blacklist (thanks to Chris T for the report) and updated zlib to 1.2.12, picking up multiple bug fixes and some modest performance improvements. This touches a lot of low-level stuff so updating will require a complete rebuild from scratch (instructions). Sorry about that, it's necessary!

If you're new to building your own copy of TenFourFox, this article from last year is still current with the process and what's out there for alternatives and assistance.


  1. ChrisT. This version works well, except it seems that SVG images (or maybe only some types of SVGs) aren't displayed in the browser chrome. Example: UBlock Origin's toolbar icon, which is actually a set of icons showing the blocking state. In this case, however, I chose to 'fix' the extension by replacing the SVG icons inside the xpi file with PNGs.

    1. Is that all SVGs? Are all extensions affected? Wondering if this is the JAR security patch.

    2. ChrisT: I installed about 30 extensions in a fresh browser profile. uBlock Origin seems to be the only one that displays something in the toolbar *and* has the problem. But it's also the only one that uses SVG images/icons. All other tested extension use PNG or ICO. So I cannot tell for sure. What's the bug number? I could back it out locally and re-build the browser for testing.

    3. ChrisT: …even though in this case I don't think it matters that much. I guess the extension should be updated to accommodate to the security fix, not the other way around.

    4. It's also entirely possible I backported it wrong, since I had to make some adjustments for the older code base. Another report suggests it is indeed the JAR patch, which doesn't surprise me because I did have to radically modify it. I'm not yet sure what it's fixing because the actual bug is not public (I just have the patch).


Due to an increased frequency of spam, comments are now subject to moderation.