This change is really weird. %n in a scanning string isn't the same as %n in a format string.
Is clang mistakenly flagging %n in scanning strings? That might be a mistake. clang should only be inspecting *printf style format strings. The change to libc has no impact on scanning strings. scanning strings with *scanf are *full* of pointer-store requests. scanning strings are not used in attacks, only output format strings are used in attacks. We are only changing the behaviour of output format strings. Furthermore, this change doesn't seem like a no-op. It is reformatting the string. Upon input, the scanf could plausibly be insensitive to leading 0's, spaces, etc etc. And that is the %n input length. But by reprinting the string and creating a new string, you have a different string and different length. Does that matter? I don't know, but the change is dubious without studying to make sure it isn't a new problem. Stefan Hagen <sh+openbsd-po...@codevoid.de> wrote: > Hi, > > This removes the '%n' format specifier from sysutils/cdrtools. > > Test: %n is used to align this list and it works like before: > > # cdrecord -scanbus > Cdrecord-ProDVD-ProBD-Clone 3.00 (amd64-unknown-openbsd7.0) Copyright (C) > 1995-2010 J�rg Schilling > Using libscg version 'schily-0.9'. > scsibus3: > 3,0,0 300) * > 3,1,0 301) 'MATSHITA' 'BD-MLT UJ272 ' '1.02' Removable CD-ROM > 3,2,0 302) * > 3,3,0 303) * > 3,4,0 304) * > 3,5,0 305) * > 3,6,0 306) * > 3,7,0 307) * > > Best regards, > Stefan > > Index: sysutils/cdrtools/Makefile > =================================================================== > RCS file: /cvs/ports/sysutils/cdrtools/Makefile,v > retrieving revision 1.23 > diff -u -p -u -p -r1.23 Makefile > --- sysutils/cdrtools/Makefile 12 Jul 2019 20:49:40 -0000 1.23 > +++ sysutils/cdrtools/Makefile 10 Sep 2021 18:01:10 -0000 > @@ -3,7 +3,7 @@ > COMMENT= ISO 9660 filesystem and CD/DVD/BD creation tools > > DISTNAME= cdrtools-3.00 > -REVISION= 1 > +REVISION= 2 > CATEGORIES= sysutils > HOMEPAGE= http://cdrtools.sourceforge.net/private/cdrtools.html > > Index: sysutils/cdrtools/patches/patch-libscg_scsi-unixware_c > =================================================================== > RCS file: sysutils/cdrtools/patches/patch-libscg_scsi-unixware_c > diff -N sysutils/cdrtools/patches/patch-libscg_scsi-unixware_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ sysutils/cdrtools/patches/patch-libscg_scsi-unixware_c 10 Sep 2021 > 18:01:10 -0000 > @@ -0,0 +1,35 @@ > +$OpenBSD$ > + > +Remove format specifier %n > + > +Index: libscg/scsi-unixware.c > +--- libscg/scsi-unixware.c.orig > ++++ libscg/scsi-unixware.c > +@@ -75,8 +75,8 @@ LOCAL char _scg_trans_version[] = > "scsi-unixware.c-1.3 > + #define DEV_DIR "/tmp" > + #define DEV_NAME "scg.s%1dt%1dl%1d" > + > +-#define SCAN_HBA "%d:%d,%d,%d:%7s : %n" > +-#define SCAN_DEV "%d,%d,%d:%7s : %n" > ++#define SCAN_HBA "%d:%d,%d,%d:%7s : " > ++#define SCAN_DEV "%d,%d,%d:%7s : " > + > + #define PRIM_HBA "/dev/hba/hba1" > + #define SCSI_CFG "LC_ALL=C /etc/scsi/pdiconfig -l" > +@@ -257,11 +257,14 @@ extern char **environ; > + memset(class, '\0', sizeof (class)); > + memset(ident, '\0', sizeof (ident)); > + > ++ char tmp[MAXLINE]; > + if (lines[0] == ' ') { > +- sscanf(lines, SCAN_DEV, &bus, &tgt, &lun, class, &pos); > ++ sscanf(lines, SCAN_DEV, &bus, &tgt, &lun, class); > ++ pos = snprintf(tmp, sizeof(tmp), SCAN_DEV, bus, tgt, > lun, class); > + hba = lhba; > + } else { > +- sscanf(lines, SCAN_HBA, &hba, &bus, &tgt, &lun, class, > &pos); > ++ sscanf(lines, SCAN_HBA, &hba, &bus, &tgt, &lun, class); > ++ pos = snprintf(tmp, sizeof(tmp), SCAN_HBA, hba, bus, > tgt, lun, class); > + nscg++; > + lhba = hba; > + atapi = 0; >
