Thanks for your great investigations. Candidates for the offending patches are debian/patches/CVE-2006-1990.patch and debian/patches/CVE-2006-3017.patch. Building a debugging version of php4, and removing either of those patches (and see which is the responsible one) would be great!
Thanks for your great investigations. Candidates for the offending patches are debian/ patches/ CVE-2006- 1990.patch and debian/ patches/ CVE-2006- 3017.patch. Building a debugging version of php4, and removing either of those patches (and see which is the responsible one) would be great!
You can build a debugging version like this:
sudo apt-get build-dep php4 OPTIONS= nostrip, noopt debuild -us -uc -b mod-php4* .deb
sudo apt-get install devscripts fakeroot
apt-get source php4
cd php4-*
DEB_BUILD_
cd ..
sudo dpkg -i php4-common*.deb php4-cgi*.deb php4-cli*.deb libapache2-
In the meantime I will scrutinize the patches again and try to write a reproducer based on the stack traces above. Thank you!