I think the xml should have this package contents:


  <affected>
    <package name="dev-lang/php" auto="yes" arch="*">
      <unaffected range="ge">7.2.29</unaffected>
      <unaffected range="ge">7.3.16</unaffected>
      <unaffected range="ge">7.4.4</unaffected>
      <vulnerable range="lt">7.2.29</vulnerable>
      <vulnerable range="lt">7.3.16</vulnerable>
      <vulnerable range="lt">7.4.4</vulnerable>
    </package>
  </affected>


can this be fixed upstream?

Comment 2 Thomas Deutschmann (RETIRED) 2020-04-23 12:51:28 UTC

We are working in this, but it's not that easy. See the following pseudo example with some debug output:

> (chroot) dev1 ~ # # eshowkw dev-lang/php
> Keywords for dev-lang/php:
>           |                             |   u     |
>           | a   a     p         s a r   |   n     |
>           | m   r i   p   h m s p l i m | e u s   | r
>           | d a m a p c x p 6 3 a p s i | a s l   | e
>           | 6 r 6 6 p 6 8 p 8 9 r h c p | p e o   | p
>           | 4 m 4 4 c 4 6 a k 0 c a v s | i d t   | o
> ----------+-----------------------------+---------+-------
>    7.2.29 | + + + ~ + + + + o ~ + ~ o ~ | 7 # 7.2 | gentoo
>    7.2.30 | + + + ~ + + + + o ~ + ~ o ~ | 7 o     | gentoo
> ----------+-----------------------------+---------+-------
>    7.3.16 | + + + ~ + + + + o ~ + ~ o ~ | 7 # 7.3 | gentoo
> [I]7.3.17 | + + + ~ + + + + o ~ + ~ o ~ | 7 o     | gentoo
> ----------+-----------------------------+---------+-------
>  [I]7.4.4 | + + + ~ + + + + o ~ + ~ o ~ | 7 # 7.4 | gentoo
>     7.4.5 | + + + ~ + + + + o ~ + ~ o ~ | 7 o     | gentoo


> (chroot) dev1 ~ # grep -B 6 '</package>' /var/db/repos/gentoo/metadata/glsa/glsa-202003-57.xml
> <unaffected range="ge">7.2.29</unaffected>
> <unaffected range="ge">7.3.18</unaffected>
> <unaffected range="ge">7.4.5</unaffected>
> <vulnerable range="lt">7.2.29</vulnerable>
> <vulnerable range="lt">7.3.18</vulnerable>
> <vulnerable range="lt">7.4.5</vulnerable>
>     </package>


> (chroot) dev1 ~ # glsa-check -t 202003-57
> {'arch': '*', 'auto': True, 'vul_vers': ['<7.4.5'], 'unaff_vers': ['>=7.2.29', '>=7.3.18', '>=7.4.5'], 'vul_atoms': ['<d
> ev-lang/php-7.4.5'], 'unaff_atoms': ['>=dev-lang/php-7.2.29', '>=dev-lang/php-7.3.18', '>=dev-lang/php-7.4.5']}
> v_installed: ['dev-lang/php-7.3.17', 'dev-lang/php-7.4.4']
> u_installed: ['dev-lang/php-7.3.17', 'dev-lang/php-7.4.4', 'dev-lang/php-7.4.4']
> v_installed reduced: []
> This system is not affected by any of the listed GLSAs

As you can see, the lowest unaffected range will clear out everything else which is wrong.
Using rge helped here but only at revision level which is not the case.

Comment 3 Larry the Git Cow 2020-04-23 15:25:54 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=5f514a6bc0b6082d08328fcc290cbba6761ee102

commit 5f514a6bc0b6082d08328fcc290cbba6761ee102
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-04-23 15:25:14 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-04-23 15:25:14 +0000

    [ GLSA 202003-57 ] Use slots
    
    Closes: https://bugs.gentoo.org/718844
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 glsa-202003-57.xml | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

Comment 4 Thomas Deutschmann (RETIRED) 2020-12-23 20:24:28 UTC

*** Bug 718600 has been marked as a duplicate of this bug. ***