Passing a different PAM handle to PAM API functions where the same handle should be used. This is caused by initializing the global variable holding the PAM handle from a child process, which has a separate address space and thus the initialization has no effect on the parent's PAM handle where the pam_end_sessions functions is called.
(from comment #3)
A module may rely on being called at session close in order to release resources or make important administrative changes, which now won't happen.
Fixed by rebasing to a newer upstream version which uses the PAM API correctly, i.e. initializes one PAM handle and uses it in all related PAM API function calls.
PAM session is closed correctly.