By default, the /etc/pam.d/system-auth file has 4 entries that reference /lib/security/pam_pwdb.so. ALL of these need to be changed to reference /lib/security/pam_unix.so. The effect of this bug is that anyone who has a valid password for any user on the system can login as root either from console by failing to login with that user ID 3 times, and then on the 4th attempt, succeeding to login. Please create a new ebuild of PAM that fixes this.
we have a new shadow that fixes this now. Apparently pam_pwdb is broken -- wonderful.