2 files changed, 21 insertions, 4 deletions

diff --git a/debian/changelog b/debian/changelog
index 592cda00..dee3f32b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
+pam (1.4.0-9) unstable; urgency=medium
+
+  * Revert prefer the multiarch path from 1.4.0-8: It turns out that
+    Debian uses DEFAULT_MODULE_PATH and _PAM_ISA in the opposite meaning
+    of upstream.  If I had read the patch header of
+    patches-applied/lib_security_multiarch_compat more closely I would
+    have noticed this.  The effect of 1.4.0-9 is what is stated in the
+    1.4.0-8 changelog: we prefer multiarch paths, but the original patch
+    did that.
+  * I did test this in 1.4.0-8, but my test design was flawed.  I placed a
+    invalid shared object in /lib/security and confirmed it did not shadow
+    an object in /lib/x86_64-linux-gnu/security.  However I realized
+    shortly after releasing 1.4.0-8 that a valid shared object in
+    /lib/security will shadow one in the multiarch path.
+
+ -- Sam Hartman <hartmans@debian.org>  Fri, 09 Jul 2021 10:55:02 -0600
+
 pam (1.4.0-8) unstable; urgency=high
 
   [ Hideki Yamane ]
diff --git a/debian/patches-applied/lib_security_multiarch_compat b/debian/patches-applied/lib_security_multiarch_compat
index 2ac671a4..e386ff39 100644
--- a/debian/patches-applied/lib_security_multiarch_compat
+++ b/debian/patches-applied/lib_security_multiarch_compat
@@ -24,16 +24,16 @@ Index: pam-1.4.0/libpam/pam_handlers.c
 +	    mod->dl_handle = _pam_dlopen(mod_path);
 +	} else {
 +	    char *mod_full_path = NULL;
-+	    if (asprintf(&mod_full_path, "%s/%s",
-+	                 _PAM_ISA, mod_path) >= 0) {
++	    if (asprintf(&mod_full_path, "%s%s",
++	                 DEFAULT_MODULE_PATH, mod_path) >= 0) {
 +		mod->dl_handle = _pam_dlopen(mod_full_path);
 +		_pam_drop(mod_full_path);
 +	    } else {
 +		pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path");
 +	    }
 +           if (!mod->dl_handle) {
-+               if (asprintf(&mod_full_path, "%s%s",
-+                            DEFAULT_MODULE_PATH, mod_path) >= 0) {
++               if (asprintf(&mod_full_path, "%s/%s",
++                            _PAM_ISA, mod_path) >= 0) {
 +                   mod->dl_handle = _pam_dlopen(mod_full_path);
 +                   _pam_drop(mod_full_path);
 +               } else {