Tariin
September 29, 2025, 6:36pm
1
Two different computer. One AMD based, one Intel / Nvidia. Running kde plasma.
Both run EOS. And on both (since last? updates) Firefox crashes when trying to save images to SSD / HDD.
firejail firefox … Firefox starts but crashes when trying to save images.
same with this (my personal start of that):
firejail –apparmor /usr/lib/firefox/firefox %u -P default-release
So, bug / new “security feature” in firejail? firefox without firejail works while saving images. This issue happened since updates last week.
cactux
September 30, 2025, 10:48am
2
Do you see any output in the terminal when Firefox crashes?
Tariin
September 30, 2025, 6:19pm
3
opened 09:09PM - 21 Sep 25 UTC
bug
### Description
Applications that use glycin 2.0.0 or later via gdk-pixbuf2 (ex… amples: Firefox, Thunderbird, GIMP) crash
The library glycin provides a set of "safe" image format loaders to gdk-pixbuf2, another library which is widely used in GTK-based applications for loading images.
As of gdk-pixbuf2 2.44.1 the calls to glycin loaders are wrapped in bubblewrap (bwrap).
### Steps to Reproduce
1. Install Firefox 143.0.1 from Arch Linux repositories.
2. Enable "testing" repositories of Arch Linux, which currently contain gdk-pixbuf2 2.44.1 in extra-testing.
3. Update gdk-pixbuf2 to the "testing" version, soon to land in the main repositories.
4. Run Firefox.
5. From the File menu, select the "Open File..." item, or trigger the opening of a file chooser dialog by trying to save a downloaded file or upload a file via a form.
6. Firefox crashes.
Thunderbird similarly crashes if one tries to open a file for any purpose. GIMP does not launch at all, if sandboxed with firejail..
### Expected behavior
These applications work inside firejail sandbox as they did before.
### Actual behavior
The mentioned applications crash.
### Behavior without a profile
_What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a
terminal?_
Firefox, and the other applications, don't crash.
### Additional context
This ties into the as-yet unsolved problem of running applications that try to use bwrap inside the firejail sandbox. The applications doing this used to be relatively few and perhaps considered of lower impact e.g., Foliate. Now, it is Firefox, via gdk-pixbuf2. Web browsers are probably the main type of application one would want to use inside a firejail sandbox.
### Environment
- Name/version/arch of the Linux kernel (`uname -srm`): `Linux 6.16.8-arch1-1 x86_64`
- Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Arch Linux
- Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1,
mesa 1:24.3.3-2"): Firefox 143.0.1
- Version of Firejail (`firejail --version`): firejail-git from AUR, `0.9.76.r88.gd0c89ae81-1`
- If you use a development version of firejail, also the commit from which it
was compiled (`git rev-parse HEAD`): gd0c89ae81
### Checklist
- [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it).
- [x] I can reproduce the issue without custom modifications (e.g. globals.local).
- [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`)
- [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc).
- [x] I have performed a short search for similar issues (to avoid opening a duplicate).
- [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers.
- [x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages)
### Log
After adding the following lines to `firefox.local`:
```
whitelist /usr/share/glycin-loaders
noblacklist /usr/bin/bwrap
```
The relevant error message becomes:
```
Gtk:ERROR:../gtk/gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/Adwaita/scalable/status/image-missing.svg: Loader process exited early with status '1'Command:
"bwrap" "--unshare-all" "--die-with-parent" "--chdir" "/" "--ro-bind" "/usr" "/usr" "--dev" "/dev" "--ro-bind-try" "/etc/ld.so.cache" "/etc/ld.so.cache" "--ro-bind-try" "/nix/store" "/nix/store" "--tmpfs" "/tmp-home" "--tmpfs" "/tmp-run" "--clearenv" "--setenv" "HOME" "/tmp-home" "--setenv" "XDG_RUNTIME_DIR" "/tmp-run" "--setenv" "XDG_RUNTIME_DIR" "/run/user/1000" "--symlink" "/usr/lib" "/lib" "--symlink" "/usr/lib" "/lib64" "--ro-bind-try" "/etc/fonts/conf.d" "/etc/fonts/conf.d" "--ro-bind-try" "/etc/fonts/fonts.conf" "/etc/fonts/fonts.conf" "--ro-bind-try" "/home/user/.cache/fontconfig" "/home/user/.cache/fontconfig" "--ro-bind-try" "/home/user/.config/fontconfig/conf.d" "/home/user/.config/fontconfig/conf.d" "--ro-bind-try" "/home/user/.local/share/fonts" "/home/user/.local/share/fonts" "--ro-bind-try" "/var/cache/fontconfig" "/var/cache/fontconfig" "--bind-try" "/home/user/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "/home/user/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "--setenv" "XDG_CACHE_HOME" "/home/user/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "--seccomp" "213" "/usr/lib/glycin-loaders/2+/glycin-svg" "--dbus-fd" "212" (gdk-pixbuf-error-quark, 0)
Bail out! Gtk:ERROR:../gtk/gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/Adwaita/scalable/status/image-missing.svg: Loader process exited early with status '1'Command: "bwrap" "--unshare-all" "--die-with-parent" "--chdir" "/" "--ro-bind" "/usr" "/usr" "--dev" "/dev" "--ro-bind-try" "/etc/ld.so.cache" "/etc/ld.so.cache" "--ro-bind-try" "/nix/store" "/nix/store" "--tmpfs" "/tmp-home" "--tmpfs" "/tmp-run" "--clearenv" "--setenv" "HOME" "/tmp-home" "--setenv" "XDG_RUNTIME_DIR" "/tmp-run" "--setenv" "XDG_RUNTIME_DIR" "/run/user/1000" "--symlink" "/usr/lib" "/lib" "--symlink" "/usr/lib" "/lib64" "--ro-bind-try" "/etc/fonts/conf.d" "/etc/fonts/conf.d" "--ro-bind-try" "/etc/fonts/fonts.conf" "/etc/fonts/fonts.conf" "--ro-bind-try" "/home/user/.cache/fontconfig" "/home/user/.cache/fontconfig" "--ro-bind-try" "/home/user/.config/fontconfig/conf.d" "/home/user/.config/fontconfig/conf.d" "--ro-bind-try" "/home/user/.local/share/fonts" "/home/user/.local/share/fonts" "--ro-bind-try" "/var/cache/fontconfig" "/var/cache/fontconfig" "--bind-try" "/home/user/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "/home/user/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "--setenv" "XDG_CACHE_HOME" "/home/user/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "--seccomp" "213" "/usr/lib/glycin-loaders/2+/glycin-svg" "--dbus-fd" "212" (gdk-pixbuf-error-quark, 0)
```
This is a gdk-pixbuf2 issue I think. See link …
cactux
September 30, 2025, 7:29pm
4
Yes it seems so. Good find! Thanks for posting the link!
Bink
October 1, 2025, 9:54pm
5
I’ve unfortunately been able to replicate this in LibreWolf (Firefox soft-fork), and now also Betterbird (Thunderbird soft-fork) when trying to save a PDF attachment, so presumably this is an issue across the Mozilla suite
Tariin
October 14, 2025, 2:10pm
6
So, I personally removed gdk-pixbuf2 with sudo pacman -Rnsdd gdk-pixbuf2 and installed gdk-pixbuf2-noglycin with yay -S gdk-pixbuf2-noglycin from AUR.
Is that the recommended solution? I don’t know. But I did it for myself first. Comments welcome.
keithy
October 22, 2025, 2:16pm
7
This fixed some weird pixbuf errors I was getting with other apps (solitaire - lol
removal of gtk-pixbuf2 killed my terminal though which made things interesting….
) Thanks