In paticular the gdm PreSession script seems to be short quoting on DISPLAY and USER in various places that matter.
Fixing in CVS. Note that xdm as installed on my box (RH9) has the same issues when it calls sessreg, I assume kdm has the same as well. However is this truly "exploitable"? It would also be nice to know of any other issues such as this in GDM, is this the only one found?
I've not done any kind of code review. I don't think its exploitable - you have to have a valid username containing such characters.
We should have the fix in latest gdm packages