diff -Nru gdm3-3.36.3/debian/changelog gdm3-3.36.3/debian/changelog
--- gdm3-3.36.3/debian/changelog	2020-09-08 17:01:39.000000000 +0000
+++ gdm3-3.36.3/debian/changelog	2020-10-27 14:57:05.000000000 +0000
@@ -1,3 +1,12 @@
+gdm3 (3.36.3-0ubuntu0.20.04.2) focal-security; urgency=medium
+
+  * SECURITY UPDATE: gnome-initial-setup launch issue
+    - debian/patches/CVE-2020-16125.patch: fail if accountsservice could
+      not be contacted in daemon/gdm-display.c.
+    - CVE-2020-16125
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 27 Oct 2020 10:57:05 -0400
+
 gdm3 (3.36.3-0ubuntu0.20.04.1) focal; urgency=medium
 
   [ Iain Lane ]
diff -Nru gdm3-3.36.3/debian/patches/CVE-2020-16125.patch gdm3-3.36.3/debian/patches/CVE-2020-16125.patch
--- gdm3-3.36.3/debian/patches/CVE-2020-16125.patch	1970-01-01 00:00:00.000000000 +0000
+++ gdm3-3.36.3/debian/patches/CVE-2020-16125.patch	2020-10-27 14:57:01.000000000 +0000
@@ -0,0 +1,68 @@
+Description: fail if accountsservice could not be contacted
+Origin: upstream, https://gitlab.gnome.org/GNOME/gdm/-/merge_requests/117
+
+diff --git a/daemon/gdm-display.c b/daemon/gdm-display.c
+index d1d24956f544587ab3d0924a3045b23f696e35c0..7c954ad24f861241213a85f4908d8a2ed93c30ec 100644
+--- a/daemon/gdm-display.c
++++ b/daemon/gdm-display.c
+@@ -510,13 +510,13 @@ gdm_display_real_prepare (GdmDisplay *self)
+         return TRUE;
+ }
+ 
+-static void
++static gboolean
+ look_for_existing_users_sync (GdmDisplay *self)
+ {
+         GdmDisplayPrivate *priv;
+-        GError *error = NULL;
+-        GVariant *call_result;
+-        GVariant *user_list;
++        g_autoptr(GError) error = NULL;
++        g_autoptr(GVariant) call_result = NULL;
++        g_autoptr(GVariant) user_list = NULL;
+ 
+         priv = gdm_display_get_instance_private (self);
+         priv->accountsservice_proxy = g_dbus_proxy_new_sync (priv->connection,
+@@ -528,8 +528,8 @@ look_for_existing_users_sync (GdmDisplay *self)
+                                                              &error);
+ 
+         if (!priv->accountsservice_proxy) {
+-                g_warning ("Failed to contact accountsservice: %s", error->message);
+-                goto out;
++                g_critical ("Failed to contact accountsservice: %s", error->message);
++                return FALSE;
+         }
+ 
+         call_result = g_dbus_proxy_call_sync (priv->accountsservice_proxy,
+@@ -541,16 +541,14 @@ look_for_existing_users_sync (GdmDisplay *self)
+                                               &error);
+ 
+         if (!call_result) {
+-                g_warning ("Failed to list cached users: %s", error->message);
+-                goto out;
++                g_critical ("Failed to list cached users: %s", error->message);
++                return FALSE;
+         }
+ 
+         g_variant_get (call_result, "(@ao)", &user_list);
+         priv->have_existing_user_accounts = g_variant_n_children (user_list) > 0;
+-        g_variant_unref (user_list);
+-        g_variant_unref (call_result);
+-out:
+-        g_clear_error (&error);
++
++        return TRUE;
+ }
+ 
+ gboolean
+@@ -568,7 +566,9 @@ gdm_display_prepare (GdmDisplay *self)
+         /* FIXME: we should probably do this in a more global place,
+          * asynchronously
+          */
+-        look_for_existing_users_sync (self);
++        if (!look_for_existing_users_sync (self)) {
++                exit (EXIT_FAILURE);
++        }
+ 
+         priv->doing_initial_setup = wants_initial_setup (self);
+ 
diff -Nru gdm3-3.36.3/debian/patches/series gdm3-3.36.3/debian/patches/series
--- gdm3-3.36.3/debian/patches/series	2020-09-08 17:01:39.000000000 +0000
+++ gdm3-3.36.3/debian/patches/series	2020-10-27 14:57:01.000000000 +0000
@@ -12,3 +12,4 @@
 ubuntu/dont_set_language_env.patch
 ubuntu/prefer_ubuntu_session_fallback.patch
 ubuntu/gdm3.service-wait-for-drm-device-before-trying-to-start-i.patch
+CVE-2020-16125.patch