I accidentally typed my password in the username field of a gdm login
screen -- I thought the screen was locked rather than logged out, and I
typed the password before the monitor had a change to wake up.
Imagine my surprise when my password was logged in cleartext in
/var/log/messages! "gdm: Couldn't authenticate XXXX"
It is a cardinal rule of designing login interfaces that you never log
information typed by the user, for just this reason.
Someone just reported this same bug for another reason, you can enter "%s%s%s"
as your password and get some uninitialized memory reads. Looks like it's "turn
off gdm logging crack" day.
gdm-184.108.40.206-11 should resolve this.