Comment 15 for bug 53581

Thanks for your great investigations. Candidates for the offending patches are debian/patches/CVE-2006-1990.patch and debian/patches/CVE-2006-3017.patch. Building a debugging version of php4, and removing either of those patches (and see which is the responsible one) would be great!

You can build a debugging version like this:

  sudo apt-get build-dep php4
  sudo apt-get install devscripts fakeroot
  apt-get source php4
  cd php4-*
  DEB_BUILD_OPTIONS=nostrip,noopt debuild -us -uc -b
  cd ..
  sudo dpkg -i php4-common*.deb php4-cgi*.deb php4-cli*.deb libapache2-mod-php4*.deb

In the meantime I will scrutinize the patches again and try to write a reproducer based on the stack traces above. Thank you!