diff -Nru gdm3-3.28.3/debian/changelog gdm3-3.28.3/debian/changelog
--- gdm3-3.28.3/debian/changelog	2019-02-19 08:33:26.000000000 +0000
+++ gdm3-3.28.3/debian/changelog	2020-10-27 15:09:55.000000000 +0000
@@ -1,3 +1,12 @@
+gdm3 (3.28.3-0ubuntu18.04.6) bionic-security; urgency=medium
+
+  * SECURITY UPDATE: gnome-initial-setup launch issue
+    - debian/patches/CVE-2020-16125.patch: fail if accountsservice could
+      not be contacted in daemon/gdm-display.c.
+    - CVE-2020-16125
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 27 Oct 2020 11:09:55 -0400
+
 gdm3 (3.28.3-0ubuntu18.04.4) bionic-security; urgency=medium
 
   * SECURITY UPDATE: Access to the logged-in user's session
diff -Nru gdm3-3.28.3/debian/patches/CVE-2020-16125.patch gdm3-3.28.3/debian/patches/CVE-2020-16125.patch
--- gdm3-3.28.3/debian/patches/CVE-2020-16125.patch	1970-01-01 00:00:00.000000000 +0000
+++ gdm3-3.28.3/debian/patches/CVE-2020-16125.patch	2020-10-27 15:09:05.000000000 +0000
@@ -0,0 +1,65 @@
+Description: fail if accountsservice could not be contacted
+Origin: upstream, https://gitlab.gnome.org/GNOME/gdm/-/merge_requests/117
+
+--- a/daemon/gdm-display.c
++++ b/daemon/gdm-display.c
+@@ -536,12 +536,12 @@ gdm_display_real_prepare (GdmDisplay *se
+         return TRUE;
+ }
+ 
+-static void
++static gboolean
+ look_for_existing_users_sync (GdmDisplay *self)
+ {
+-        GError *error = NULL;
+-        GVariant *call_result;
+-        GVariant *user_list;
++        g_autoptr(GError) error = NULL;
++        g_autoptr(GVariant) call_result = NULL;
++        g_autoptr(GVariant) user_list = NULL;
+ 
+         self->priv->accountsservice_proxy = g_dbus_proxy_new_sync (self->priv->connection,
+                                                                    0, NULL,
+@@ -552,8 +552,8 @@ look_for_existing_users_sync (GdmDisplay
+                                                                    &error);
+ 
+         if (!self->priv->accountsservice_proxy) {
+-                g_warning ("Failed to contact accountsservice: %s", error->message);
+-                goto out;
++                g_critical ("Failed to contact accountsservice: %s", error->message);
++                return FALSE;
+         }
+ 
+         call_result = g_dbus_proxy_call_sync (self->priv->accountsservice_proxy,
+@@ -565,16 +565,14 @@ look_for_existing_users_sync (GdmDisplay
+                                               &error);
+ 
+         if (!call_result) {
+-                g_warning ("Failed to list cached users: %s", error->message);
+-                goto out;
++                g_critical ("Failed to list cached users: %s", error->message);
++                return FALSE;
+         }
+ 
+         g_variant_get (call_result, "(@ao)", &user_list);
+         self->priv->have_existing_user_accounts = g_variant_n_children (user_list) > 0;
+-        g_variant_unref (user_list);
+-        g_variant_unref (call_result);
+-out:
+-        g_clear_error (&error);
++
++        return TRUE;
+ }
+ 
+ gboolean
+@@ -589,7 +587,9 @@ gdm_display_prepare (GdmDisplay *self)
+         /* FIXME: we should probably do this in a more global place,
+          * asynchronously
+          */
+-        look_for_existing_users_sync (self);
++        if (!look_for_existing_users_sync (self)) {
++                exit (EXIT_FAILURE);
++        }
+ 
+         self->priv->doing_initial_setup = wants_initial_setup (self);
+ 
diff -Nru gdm3-3.28.3/debian/patches/series gdm3-3.28.3/debian/patches/series
--- gdm3-3.28.3/debian/patches/series	2019-02-19 08:33:20.000000000 +0000
+++ gdm3-3.28.3/debian/patches/series	2020-10-27 15:02:34.000000000 +0000
@@ -20,3 +20,4 @@
 CVE-2019-3825-2.patch
 CVE-2019-3825-3.patch
 CVE-2019-3825-4.patch
+CVE-2020-16125.patch