The patch itself:
----------------------------------------------------------------
--- posix.c.orig        Fri Jan 12 04:46:11 2007
+++ posix.c     Thu Feb 22 14:56:56 2007
@@ -837,9 +837,8 @@

 #if defined(ZTS) && defined(HAVE_GETGRNAM_R) && defined(_SC_GETGR_R_SIZE_MAX)
        buflen = sysconf(_SC_GETGR_R_SIZE_MAX);
-       if (buflen < 1) {
-               RETURN_FALSE;
-       }
+       if (buflen < 0)
+               buflen = 1024;
        buf = emalloc(buflen);
        g = &gbuf;

@@ -887,6 +886,8 @@
 #ifdef HAVE_GETGRGID_R

        grbuflen = sysconf(_SC_GETGR_R_SIZE_MAX);
+       if (grbuflen < 0)
+               grbuflen = 1024;
        grbuf = emalloc(grbuflen);

        ret = getgrgid_r(gid, &_g, grbuf, grbuflen, &retgrptr);
@@ -950,9 +951,9 @@

 #if defined(ZTS) && defined(_SC_GETPW_R_SIZE_MAX) && defined(HAVE_GETPWNAM_R)
        buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
-       if (buflen < 1) {
-               RETURN_FALSE;
-       }
+       if (buflen < 0)
+               buflen = 1024;
+
        buf = emalloc(buflen);
        pw = &pwbuf;

@@ -999,9 +1000,8 @@
        }
 #if defined(ZTS) && defined(_SC_GETPW_R_SIZE_MAX) && defined(HAVE_GETPWUID_R)
        pwbuflen = sysconf(_SC_GETPW_R_SIZE_MAX);
-       if (pwbuflen < 1) {
-               RETURN_FALSE;
-       }
+       if (pwbuflen < 0)
+               pwbuflen = 1024;
        pwbuf = emalloc(pwbuflen);

        ret = getpwuid_r(uid, &_pw, pwbuf, pwbuflen, &retpwptr);
--------------------------------------------------------------

+       if (grbuflen < 0)
+               grbuflen = 1024;

I definitely agree with this part of the patch.
But other parts look to me as a "workaround" for FreeBSD problems.

-       if (buflen < 1) {
-               RETURN_FALSE;
-       }
+       if (buflen < 0)
+               buflen = 1024;

It might be safe to do it on FreeBSD when you know for sure that this functionality is missing and it's safe to use 1K buffer, but other systems might behave differently.

-       if (buflen < 1) {
-               RETURN_FALSE;
-       }
+       if (buflen < 0)
+               buflen = 1024;

>It might be safe to do it on FreeBSD when you know for sure >that this functionality is missing and it's safe to use 1K >buffer, but other systems might behave differently.

This patch covers two problems:
1) The POSIX says that sysconf will return -1 on failure, thus the ( < 1) check is definitely incorrect
2) It's safe to use the buffer of any size (according to POSIX), since you give the buffer length to these functions. They'll return error if the buffer lenght isn't enough - it's better then give up on retriving this info just in case the sysconf doesn't has these limit values.

>This patch covers two problems:
>1) The POSIX says that sysconf will return -1 on failure,
> thus the ( < check is definitely incorrect

Oh? Care to elaborate?

>2) It's safe to use the buffer of any size (according to
> POSIX), since you give the buffer length to these
> functions. 

Yeah, according to POSIX those functions must be implemented.
But they are not.

>it's better then give up on retriving this info just in
>case the sysconf doesn't has these limit values.

I don't think it's any better to use hacks to workaround missing FreeBSD functionality.

>>This patch covers two problems:
>>1) The POSIX says that sysconf will return -1 on failure,
>> thus the ( < check is definitely incorrect
>
>Oh? Care to elaborate?

Yeah... According to susv3:
"If name is an invalid value, sysconf() shall return -1 and set errno to indicate the error. If the variable corresponding to name has no limit, sysconf() shall return -1 without changing the value of errno. Note that indefinite limits do not imply infinite limits; see <limits.h>."

>>2) It's safe to use the buffer of any size (according to
>> POSIX), since you give the buffer length to these
>> functions. 
>
>Yeah, according to POSIX those functions must be >implemented.
>But they are not.

>it's better then give up on retriving this info just in
>case the sysconf doesn't has these limit values.

>I don't think it's any better to use hacks to workaround >missing FreeBSD
> functionality.

Ok, agree. It's open to you.

>Yeah... According to susv3:
Yes, I know that, thanks.
But that does not mean "if (buflen < 1)" is incorrect.
I don't think that zero buflen is a correct value (and even if it is, it's useless).

Ilia, please take a look at this, IIRC you added those sysconf() patches.

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

The current code is fine, we should not hardcode buffer sizes 
if they cannot be retrieved, this could lead to exploitable 
situations. Also if the return buffer length of 0 it probably 
indicates a problem. 

> The current code is fine, we should not hardcode buffer     > sizes if they cannot be retrieved, this could lead to       > exploitable situations. Also if the return buffer length of > 0 it probably indicates a problem. 

1) According to POSIX it's not a problem
2) Besides that one check is missing (take a look at patch), so you're effectively trying to malloc (size_t)-1 bytes on FreeBSD currently, which leads to crash.

The bug is still here.

buflen check disallows values that are less then 1, so how 
will you ever allocate a negative value?

RETURN_FALSE will terminate the function.

He is refering to this part of the patch:
@@ -887,6 +886,8 @@
 #ifdef HAVE_GETGRGID_R

        grbuflen = sysconf(_SC_GETGR_R_SIZE_MAX);
+       if (grbuflen < 0)
+               grbuflen = 1024;


so there is no check there for a negative return value.

Nuno, this part of the patch has been applied 3 days ago.