I accidentally typed my password in the username field of a gdm login screen -- I thought the screen was locked rather than logged out, and I typed the password before the monitor had a change to wake up. Imagine my surprise when my password was logged in cleartext in /var/log/messages! "gdm[1384]: Couldn't authenticate XXXX" It is a cardinal rule of designing login interfaces that you never log information typed by the user, for just this reason.
Someone just reported this same bug for another reason, you can enter "%s%s%s" as your password and get some uninitialized memory reads. Looks like it's "turn off gdm logging crack" day.
gdm-2.2.3.1-11 should resolve this.