3 files changed, 72 insertions, 83 deletions

diff --git a/external/poky/meta/recipes-extended/procps/procps/0001-Fix-out-of-tree-builds.patch b/external/poky/meta/recipes-extended/procps/procps/0001-Fix-out-of-tree-builds.patch
deleted file mode 100644
index e5481943..00000000
--- a/external/poky/meta/recipes-extended/procps/procps/0001-Fix-out-of-tree-builds.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From 0825db94fc91fa2150c0e649e92cc8dcc44f4b38 Mon Sep 17 00:00:00 2001
-From: Alexander Kanavin <alex.kanavin@gmail.com>
-Date: Wed, 4 Apr 2018 14:09:45 +0300
-Subject: [PATCH] Fix out of tree builds
-
-Upstream-Status: Pending
-Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
----
- include/nls.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/nls.h b/include/nls.h
-index 1166b7b..f5abe05 100644
---- a/include/nls.h
-+++ b/include/nls.h
-@@ -6,7 +6,7 @@
- #define PROCPS_NG_NLS_H
- 
- /* programs issuing textdomain() need PACKAGE string */
--#include "../config.h"
-+#include "config.h"
- 
- /* programs issuing bindtextdomain() also need LOCALEDIR string */
- #ifndef LOCALEDIR
diff --git a/external/poky/meta/recipes-extended/procps/procps/sysctl.conf b/external/poky/meta/recipes-extended/procps/procps/sysctl.conf
index 34e7488b..253f3701 100644
--- a/external/poky/meta/recipes-extended/procps/procps/sysctl.conf
+++ b/external/poky/meta/recipes-extended/procps/procps/sysctl.conf
@@ -1,64 +1,67 @@
-# This configuration file is taken from Debian.
+# This configuration taken from procps v3.3.15
+# Commented out kernel/pid_max=10000 line
 #
 # /etc/sysctl.conf - Configuration file for setting system variables
 # See sysctl.conf (5) for information.
-#
 
-#kernel.domainname = example.com
+# you can have the CD-ROM close when you use it, and open
+# when you are done.
+#dev.cdrom.autoeject = 1
+#dev.cdrom.autoclose = 1
 
-# Uncomment the following to stop low-level messages on console
-#kernel.printk = 4 4 1 7
+# protection from the SYN flood attack
+net/ipv4/tcp_syncookies=1
 
-##############################################################3
-# Functions previously found in netbase
-#
+# see the evil packets in your log files
+net/ipv4/conf/all/log_martians=1
 
-# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
-# Turn on Source Address Verification in all interfaces to
-# prevent some spoofing attacks
-net.ipv4.conf.default.rp_filter=1
-net.ipv4.conf.all.rp_filter=1
+# makes you vulnerable or not :-)
+net/ipv4/conf/all/accept_redirects=0
+net/ipv4/conf/all/accept_source_route=0
+net/ipv4/icmp_echo_ignore_broadcasts =1
 
-# Uncomment the next line to enable TCP/IP SYN cookies
-#net.ipv4.tcp_syncookies=1
+# needed for routing, including masquerading or NAT
+#net/ipv4/ip_forward=1
 
-# Uncomment the next line to enable packet forwarding for IPv4
-#net.ipv4.ip_forward=1
+# sets the port range used for outgoing connections
+#net.ipv4.ip_local_port_range = 32768    61000
 
-# Uncomment the next line to enable packet forwarding for IPv6
-#net.ipv6.conf.all.forwarding=1
+# Broken routers and obsolete firewalls will corrupt the window scaling
+# and ECN. Set these values to 0 to disable window scaling and ECN.
+# This may, rarely, cause some performance loss when running high-speed
+# TCP/IP over huge distances or running TCP/IP over connections with high
+# packet loss and modern routers. This sure beats dropped connections.
+#net.ipv4.tcp_ecn = 0
 
+# Swapping too much or not enough? Disks spinning up when you'd
+# rather they didn't? Tweak these.
+#vm.vfs_cache_pressure = 100
+#vm.laptop_mode = 0
+#vm.swappiness = 60
 
-###################################################################
-# Additional settings - these settings can improve the network
-# security of the host and prevent against some network attacks
-# including spoofing attacks and man in the middle attacks through
-# redirection. Some network environments, however, require that these
-# settings are disabled so review and enable them as needed.
-#
-# Ignore ICMP broadcasts
-#net.ipv4.icmp_echo_ignore_broadcasts = 1
-#
-# Ignore bogus ICMP errors
-#net.ipv4.icmp_ignore_bogus_error_responses = 1
-#
-# Do not accept ICMP redirects (prevent MITM attacks)
-#net.ipv4.conf.all.accept_redirects = 0
-#net.ipv6.conf.all.accept_redirects = 0
-# _or_
-# Accept ICMP redirects only for gateways listed in our default
-# gateway list (enabled by default)
-# net.ipv4.conf.all.secure_redirects = 1
-#
-# Do not send ICMP redirects (we are not a router)
-#net.ipv4.conf.all.send_redirects = 0
-#
-# Do not accept IP source route packets (we are not a router)
-#net.ipv4.conf.all.accept_source_route = 0
-#net.ipv6.conf.all.accept_source_route = 0
-#
-# Log Martian Packets
-#net.ipv4.conf.all.log_martians = 1
-#
+#kernel.printk_ratelimit_burst = 10
+#kernel.printk_ratelimit = 5
+#kernel.panic_on_oops = 0
+
+# Reboot 600 seconds after a panic
+#kernel.panic = 600
+
+# enable SysRq key (note: console security issues)
+#kernel.sysrq = 1
+
+# Change name of core file to start with the command name
+# so you get things like: emacs.core mozilla-bin.core X.core
+#kernel.core_pattern = %e.core
+
+# NIS/YP domain (not always equal to DNS domain)
+#kernel.domainname = example.com
+#kernel.hostname = darkstar
+
+# This limits PID values to 4 digits, which allows tools like ps
+# to save screen space.
+#kernel/pid_max=10000
 
-#kernel.shmmax = 141762560
+# Protects against creating or following links under certain conditions
+# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
+#fs.protected_hardlinks = 1
+#fs.protected_symlinks = 1
diff --git a/external/poky/meta/recipes-extended/procps/procps_3.3.15.bb b/external/poky/meta/recipes-extended/procps/procps_3.3.16.bb
index 9756db0e..2810ebd2 100644
--- a/external/poky/meta/recipes-extended/procps/procps_3.3.15.bb
+++ b/external/poky/meta/recipes-extended/procps/procps_3.3.16.bb
@@ -4,26 +4,33 @@ the /proc filesystem. The package includes the programs ps, top, vmstat, w, kill
 HOMEPAGE = "https://gitlab.com/procps-ng/procps"
 SECTION = "base"
 LICENSE = "GPLv2+ & LGPLv2+"
-LIC_FILES_CHKSUM="file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
-                  file://COPYING.LIB;md5=4cf66a4984120007c9881cc871cf49db \
-                 "
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
+                    file://COPYING.LIB;md5=4cf66a4984120007c9881cc871cf49db \
+                    "
 
 DEPENDS = "ncurses"
 
 inherit autotools gettext pkgconfig update-alternatives
 
-SRC_URI = "http://downloads.sourceforge.net/project/procps-ng/Production/procps-ng-${PV}.tar.xz \
+SRC_URI = "git://gitlab.com/procps-ng/procps.git;protocol=https \
            file://sysctl.conf \
-           file://0001-Fix-out-of-tree-builds.patch \
            "
+SRCREV = "59c88e18f29000ceaf7e5f98181b07be443cf12f"
 
-SRC_URI[md5sum] = "2b0717a7cb474b3d6dfdeedfbad2eccc"
-SRC_URI[sha256sum] = "10bd744ffcb3de2d591d2f6acf1a54a7ba070fdcc432a855931a5057149f0465"
+S = "${WORKDIR}/git"
 
-S = "${WORKDIR}/procps-ng-${PV}"
+# Upstream has a custom autogen.sh which invokes po/update-potfiles as they
+# don't ship a po/POTFILES.in (which is silly).  Without that file gettext
+# doesn't believe po/ is a gettext directory and won't generate po/Makefile.
+do_configure_prepend() {
+    ( cd ${S} && po/update-potfiles )
+}
 
 EXTRA_OECONF = "--enable-skill --disable-modern-top"
 
+PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
+PACKAGECONFIG[systemd] = "--with-systemd,--without-systemd,systemd"
+
 do_install_append () {
 	install -d ${D}${base_bindir}
 	[ "${bindir}" != "${base_bindir}" ] && for i in ${base_bindir_progs}; do mv ${D}${bindir}/$i ${D}${base_bindir}/$i; done
@@ -64,3 +71,6 @@ python __anonymous() {
         d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog))
 }
 
+# 'ps' isn't suitable for use as a security tool so whitelist this CVE.
+# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3
+CVE_CHECK_WHITELIST += "CVE-2018-1121"