> >> Note that problem back then was that the shipped archived > >> contained m4 files so the autogen step did not "help". > > the attack actually *relied* on doing so. >
Just to clarify what your saying here: the attack relied on smuggling in a .m4 file that was not present in the Github source code but was present in the Github release tarball used as the upstream source for this package.
