diff -Nru accountsservice-0.6.40/debian/changelog accountsservice-0.6.40/debian/changelog
--- accountsservice-0.6.40/debian/changelog	2016-10-25 15:15:26.000000000 +0000
+++ accountsservice-0.6.40/debian/changelog	2020-11-02 17:11:26.000000000 +0000
@@ -1,3 +1,19 @@
+accountsservice (0.6.40-2ubuntu11.6) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: accountsservice drop privileges SIGSTOP DoS
+    (LP: #1900255)
+    - debian/patches/0010-set-language.patch: updated to not drop real uid
+      and real gid in user_drop_privileges_to_user.
+    - debian/patches/0009-language-tools.patch: updated to not reset
+      effective uid.
+    - CVE-2020-16126
+  * SECURITY UPDATE: directory traversal issue
+    - debian/patches/CVE-2018-14036.patch: fix insufficient path prefix
+      check in src/user.c.
+    - CVE-2018-14036
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 02 Nov 2020 12:10:06 -0500
+
 accountsservice (0.6.40-2ubuntu11.3) xenial; urgency=medium
 
   * debian/patches/wtmp-fix-logout.patch:
diff -Nru accountsservice-0.6.40/debian/patches/0009-language-tools.patch accountsservice-0.6.40/debian/patches/0009-language-tools.patch
--- accountsservice-0.6.40/debian/patches/0009-language-tools.patch	2016-08-26 01:27:44.000000000 +0000
+++ accountsservice-0.6.40/debian/patches/0009-language-tools.patch	2020-11-02 17:10:01.000000000 +0000
@@ -1,5 +1,6 @@
 Description: Help files for dealing with language/locale settings.
 Author: Gunnar Hjalmarsson <gunnarhj@ubuntu.com>
+Updated: 2020-11-02
 
 Index: accountsservice-0.6.40/configure.ac
 ===================================================================
@@ -18,7 +19,7 @@
 --- /dev/null
 +++ accountsservice-0.6.40/data/langtools/language2locale
 @@ -0,0 +1,70 @@
-+#!/bin/sh -e
++#!/bin/sh -pe
 +#
 +# - takes the first choice language in the LANGUAGE priority list as argument
 +# - outputs locale name corresponding to that language
@@ -177,7 +178,7 @@
 --- /dev/null
 +++ accountsservice-0.6.40/data/langtools/language-validate
 @@ -0,0 +1,82 @@
-+#!/bin/sh -e
++#!/bin/sh -pe
 +
 +lang=$1
 +validated_language=
@@ -264,7 +265,7 @@
 --- /dev/null
 +++ accountsservice-0.6.40/data/langtools/locale2papersize
 @@ -0,0 +1,18 @@
-+#!/bin/sh -e
++#!/bin/sh -pe
 +#
 +# locale2papersize outputs the paper size "a4" or "letter" based on
 +# the height and width in the locale that is passed as an argument.
@@ -342,7 +343,7 @@
 --- /dev/null
 +++ accountsservice-0.6.40/data/langtools/save-to-pam-env
 @@ -0,0 +1,40 @@
-+#!/bin/sh -e
++#!/bin/sh -pe
 +#
 +# updates the ~/.pam_environment config file
 +
@@ -387,7 +388,7 @@
 --- /dev/null
 +++ accountsservice-0.6.40/data/langtools/set-language-helper
 @@ -0,0 +1,27 @@
-+#!/bin/sh -e
++#!/bin/sh -pe
 +
 +homedir=$1
 +language=$2
@@ -419,7 +420,7 @@
 --- /dev/null
 +++ accountsservice-0.6.40/data/langtools/update-langlist
 @@ -0,0 +1,48 @@
-+#!/bin/sh -e
++#!/bin/sh -pe
 +#
 +# update-langlist maintains the LANGUAGE priority list. It does so in
 +# a simplified manner, unlike the UI in language-selector-gnome for
diff -Nru accountsservice-0.6.40/debian/patches/0010-set-language.patch accountsservice-0.6.40/debian/patches/0010-set-language.patch
--- accountsservice-0.6.40/debian/patches/0010-set-language.patch	2016-08-26 01:27:44.000000000 +0000
+++ accountsservice-0.6.40/debian/patches/0010-set-language.patch	2020-10-22 10:55:14.000000000 +0000
@@ -1,20 +1,21 @@
 Description: Save user language and regional formats settings to ~/.pam_environment.
 Author: Gunnar Hjalmarsson <gunnarhj@ubuntu.com>
+Updated: 2020-10-21
 
---- accountsservice.orig/src/user.c	2015-04-13 12:54:51.519751660 +0200
-+++ accountsservice/src/user.c	2015-05-12 16:01:26.198226769 +0200
-@@ -1072,6 +1072,307 @@
+--- a/src/user.c
++++ b/src/user.c
+@@ -1072,6 +1072,307 @@ user_set_email (AccountsUser          *a
          return TRUE;
  }
  
 +static gboolean
 +user_drop_privileges_to_user (User *user)
 +{
-+        if (setresgid (user->gid, user->gid, -1) != 0) {
++        if (setresgid (-1, user->gid, -1) != 0) {
 +                g_warning ("setresgid() failed");
 +                return FALSE;
 +        }
-+        if (setresuid (user->uid, user->uid, -1) != 0) {
++        if (setresuid (-1, user->uid, -1) != 0) {
 +                g_warning ("setresuid() failed");
 +                return FALSE;
 +        }
@@ -311,7 +312,7 @@
  static void
  user_change_language_authorized_cb (Daemon                *daemon,
                                      User                  *user,
-@@ -1079,11 +1380,78 @@
+@@ -1079,11 +1380,78 @@ user_change_language_authorized_cb (Daem
                                      gpointer               data)
  
  {
@@ -394,7 +395,7 @@
  
                  save_extra_data (user);
  
-@@ -1092,6 +1460,7 @@
+@@ -1092,6 +1460,7 @@ user_change_language_authorized_cb (Daem
                  g_object_notify (G_OBJECT (user), "language");
          }
  
@@ -402,7 +403,7 @@
          accounts_user_complete_set_language (ACCOUNTS_USER (user), context);
  }
  
-@@ -1135,11 +1504,15 @@
+@@ -1135,11 +1504,15 @@ user_change_formats_locale_authorized_cb
                                            gpointer               data)
  
  {
@@ -423,7 +424,7 @@
  
                  save_extra_data (user);
  
-@@ -2326,10 +2699,16 @@
+@@ -2326,10 +2699,16 @@ user_get_property (GObject    *object,
                  g_value_set_string (value, user->email);
                  break;
          case PROP_LANGUAGE:
diff -Nru accountsservice-0.6.40/debian/patches/CVE-2018-14036.patch accountsservice-0.6.40/debian/patches/CVE-2018-14036.patch
--- accountsservice-0.6.40/debian/patches/CVE-2018-14036.patch	1970-01-01 00:00:00.000000000 +0000
+++ accountsservice-0.6.40/debian/patches/CVE-2018-14036.patch	2020-10-26 13:07:14.000000000 +0000
@@ -0,0 +1,44 @@
+From f9abd359f71a5bce421b9ae23432f539a067847a Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner <matthias.gerstner@suse.de>
+Date: Tue, 10 Jul 2018 09:51:47 -0400
+Subject: user: fix insufficient path prefix check
+
+The path prefix check can be circumvented by regular users by passing
+relative path component like so:
+
+$ dbus-send --system --print-reply --dest=org.freedesktop.Accounts \
+        /org/freedesktop/Accounts/User1000 \
+        org.freedesktop.Accounts.User.SetIconFile \
+        string:/usr/share/../../tmp/test
+
+This results in a user controlled path being stored in the
+accountsservice. Clients of accountsservice may unwittingly trust this
+path.
+
+To fix that situation this commit canonicalizes the input path before
+the prefix comparison.
+
+Some small changes to patch by Ray Strode.
+
+https://bugs.freedesktop.org/show_bug.cgi?id=107085
+---
+ src/user.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/src/user.c
++++ b/src/user.c
+@@ -2226,6 +2226,14 @@ user_change_icon_file_authorized_cb (Dae
+         }
+ 
+         file = g_file_new_for_path (filename);
++        g_clear_pointer (&filename, g_free);
++
++        /* Canonicalize path so we can call g_str_has_prefix on it
++         * below without concern for ../ path components moving outside
++         * the prefix
++         */
++        filename = g_file_get_path (file);
++
+         info = g_file_query_info (file, G_FILE_ATTRIBUTE_UNIX_MODE ","
+                                         G_FILE_ATTRIBUTE_STANDARD_TYPE ","
+                                         G_FILE_ATTRIBUTE_STANDARD_SIZE,
diff -Nru accountsservice-0.6.40/debian/patches/series accountsservice-0.6.40/debian/patches/series
--- accountsservice-0.6.40/debian/patches/series	2016-10-25 15:15:26.000000000 +0000
+++ accountsservice-0.6.40/debian/patches/series	2020-10-26 13:07:10.000000000 +0000
@@ -18,3 +18,4 @@
 1002-dont-override-standardoutput.patch
 change-own-data-inactive.patch
 wtmp-Fix-logout-times.patch
+CVE-2018-14036.patch