Benjamin Berg · Marco Trevisan · Marco Trevisan · Ray Strode · Ray Strode · Ray Strode
--- a/NEWS
+++ b/NEWS
+================
+Version 3.38.2.1
+================
+- Address autologin unlock bug issue (CVE-2020-27837)
+- Translation updates
+
+==============
+Version 3.38.2
+==============
+- Fix localization bug to prevented translated messages from showing up
+- Deal more appropriately with broken accountsservice
+
 ==============
 Version 3.38.1
 ==============

--- a/daemon/gdm-display.c
+++ b/daemon/gdm-display.c
@@ -510,7 +510,7 @@ gdm_display_real_prepare (GdmDisplay *self)
        return TRUE;
 }

-static void
+static gboolean
 look_for_existing_users_sync (GdmDisplay *self)
 {
        GdmDisplayPrivate *priv;
@@ -528,7 +528,7 @@ look_for_existing_users_sync (GdmDisplay *self)
                                                             &error);

        if (!priv->accountsservice_proxy) {
-                g_warning ("Failed to contact accountsservice: %s", error->message);
+                g_critical ("Failed to contact accountsservice: %s", error->message);
                goto out;
        }

@@ -541,7 +541,7 @@ look_for_existing_users_sync (GdmDisplay *self)
                                              &error);

        if (!call_result) {
-                g_warning ("Failed to list cached users: %s", error->message);
+                g_critical ("Failed to list cached users: %s", error->message);
                goto out;
        }

@@ -551,6 +551,7 @@ look_for_existing_users_sync (GdmDisplay *self)
        g_variant_unref (call_result);
 out:
        g_clear_error (&error);
+        return priv->accountsservice_proxy != NULL && call_result != NULL;
 }

 gboolean
@@ -568,7 +569,9 @@ gdm_display_prepare (GdmDisplay *self)
        /* FIXME: we should probably do this in a more global place,
         * asynchronously
         */
-        look_for_existing_users_sync (self);
+        if (!look_for_existing_users_sync (self)) {
+                exit (EXIT_FAILURE);
+        }

        priv->doing_initial_setup = wants_initial_setup (self);


--- a/daemon/gdm-session-worker.c
+++ b/daemon/gdm-session-worker.c
@@ -66,6 +66,7 @@
 #include "gdm-pam-extensions.h"
 #endif

+#include "gdm-dbus-glue.h"
 #include "gdm-session-worker.h"
 #include "gdm-session-glue.h"
 #include "gdm-session.h"
@@ -1051,18 +1052,6 @@ gdm_session_worker_uninitialize_pam (GdmSessionWorker *worker,

        gdm_session_worker_stop_auditor (worker);

-        /* If user-display-server is not enabled the login_vt is always
-         * identical to the session_vt. So in that case we never need to
-         * do a VT switch. */
-#ifdef ENABLE_USER_DISPLAY_SERVER
-        if (g_strcmp0 (worker->priv->display_seat_id, "seat0") == 0) {
-                /* Switch to the login VT if we are not the login screen. */
-                if (worker->priv->session_vt != GDM_INITIAL_VT) {
-                        jump_to_vt (worker, GDM_INITIAL_VT);
-                }
-        }
-#endif
-
        worker->priv->session_vt = 0;

        g_debug ("GdmSessionWorker: state NONE");
@@ -1775,6 +1764,53 @@ run_script (GdmSessionWorker *worker,
                               worker->priv->x11_authority_file);
 }

+static void
+wait_until_dbus_signal_emission_to_manager_finishes (GdmSessionWorker *worker)
+{
+        g_autoptr (GdmDBusPeer) peer_proxy = NULL;
+        g_autoptr (GError) error = NULL;
+        gboolean pinged;
+
+        peer_proxy = gdm_dbus_peer_proxy_new_sync (worker->priv->connection,
+                                                   G_DBUS_PROXY_FLAGS_DO_NOT_LOAD_PROPERTIES,
+                                                   NULL,
+                                                   "/org/freedesktop/DBus",
+                                                   NULL,
+                                                   &error);
+
+        if (peer_proxy == NULL) {
+                g_debug ("GdmSessionWorker: could not create peer proxy to daemon: %s",
+                         error->message);
+                return;
+        }
+
+        pinged = gdm_dbus_peer_call_ping_sync (peer_proxy, NULL, &error);
+
+        if (!pinged) {
+                g_debug ("GdmSessionWorker: could not ping daemon: %s",
+                         error->message);
+                return;
+        }
+}
+
+static void
+jump_back_to_initial_vt (GdmSessionWorker *worker)
+{
+        if (worker->priv->session_vt == 0)
+                return;
+
+        if (worker->priv->session_vt == GDM_INITIAL_VT)
+                return;
+
+        if (g_strcmp0 (worker->priv->display_seat_id, "seat0") != 0)
+                return;
+
+#ifdef ENABLE_USER_DISPLAY_SERVER
+        jump_to_vt (worker, GDM_INITIAL_VT);
+        worker->priv->session_vt = 0;
+#endif
+}
+
 static void
 session_worker_child_watch (GPid              pid,
                            int               status,
@@ -1789,18 +1825,40 @@ session_worker_child_watch (GPid              pid,
                 : WIFSIGNALED (status) ? WTERMSIG (status)
                 : -1);

-
        gdm_session_worker_uninitialize_pam (worker, PAM_SUCCESS);

+        worker->priv->child_pid = -1;
+        worker->priv->child_watch_id = 0;
+        run_script (worker, GDMCONFDIR "/PostSession");
+
        gdm_dbus_worker_emit_session_exited (GDM_DBUS_WORKER (worker),
                                             worker->priv->service,
                                             status);

        killpg (pid, SIGHUP);

-        worker->priv->child_pid = -1;
-        worker->priv->child_watch_id = 0;
-        run_script (worker, GDMCONFDIR "/PostSession");
+        /* FIXME: It's important to give the manager an opportunity to process the
+         * session-exited emission above before switching VTs.
+         *
+         * This is because switching VTs makes the manager try to put a login screen
+         * up on VT 1, but it may actually want to try to auto login again in response
+         * to session-exited.
+         *
+         * This function just does a manager roundtrip over the bus to make sure the
+         * signal has been dispatched before jumping.
+         *
+         * Ultimately, we may want to improve the manager<->worker interface.
+         *
+         * See:
+         *
+         * https://gitlab.gnome.org/GNOME/gdm/-/merge_requests/123
+         *
+         * for some ideas and more discussion.
+         *
+         */
+        wait_until_dbus_signal_emission_to_manager_finishes (worker);
+
+        jump_back_to_initial_vt (worker);
 }

 static void
@@ -2424,6 +2482,7 @@ gdm_session_worker_open_session (GdmSessionWorker  *worker,
 out:
        if (error_code != PAM_SUCCESS) {
                gdm_session_worker_uninitialize_pam (worker, error_code);
+                worker->priv->session_vt = 0;
                return FALSE;
        }

@@ -3549,6 +3608,8 @@ gdm_session_worker_finalize (GObject *object)
                gdm_session_worker_uninitialize_pam (worker, PAM_SUCCESS);
        }

+        jump_back_to_initial_vt (worker);
+
        g_object_unref (worker->priv->user_settings);
        g_free (worker->priv->service);
        g_free (worker->priv->x11_display_name);

--- a/daemon/meson.build
+++ b/daemon/meson.build
 # D-Bus interfaces
+dbus_gen = gnome.gdbus_codegen('gdm-dbus-glue',
+  'org.freedesktop.DBus.xml',
+  namespace: 'GdmDBus',
+  interface_prefix: 'org.freedesktop.DBus',
+  autocleanup: 'all',
+)
 display_dbus_gen = gnome.gdbus_codegen('gdm-display-glue',
  'gdm-display.xml',
  namespace: 'GdmDBus',
@@ -87,6 +93,7 @@ gdm_session_worker_src = [
  'gdm-session-worker-job.c',
  'gdm-session-worker-common.c',
  'gdm-dbus-util.c',
+  dbus_gen,
  session_dbus_gen,
  session_worker_dbus_gen,
  gdm_session_enums,

--- a/daemon/org.freedesktop.DBus.xml
+++ b/daemon/org.freedesktop.DBus.xml
+<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
+"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
+<node>
+  <interface name="org.freedesktop.DBus.Peer">
+    <method name="GetMachineId">
+      <arg direction="out" type="s"/>
+    </method>
+    <method name="Ping">
+    </method>
+  </interface>
+</node>
+
--- a/debian/Xsession
+++ b/debian/Xsession
@@ -70,23 +70,6 @@ internal_errormsg () {
           "<debian-x@lists.debian.org>."
 }

-run_parts () {
-  # until run-parts --noexec is implemented
-  if [ -z "$1" ]; then
-    internal_errormsg "run_parts() called without an argument."
-  fi
-  if [ ! -d "$1" ]; then
-    internal_errormsg "run_parts() called, but \"$1\" does not exist or is" \
-                      "not a directory."
-  fi
-  for F in $(/bin/ls $1); do
-    if expr "$F" : '[[:alnum:]_-]\+$' > /dev/null 2>&1; then
-      if [ -f "$1/$F" ]; then
-        echo "$1/$F"
-      fi
-    fi
-  done
-}
 # initialize variables for use by all session scripts

 OPTIONFILE=/etc/X11/Xsession.options
@@ -177,11 +160,29 @@ if [ "x$command" = "xcustom" ] ; then
  set default $*
 fi

+OPTIONS="$(
+  if [ -r "$OPTIONFILE" ]; then
+    cat "$OPTIONFILE"
+  fi
+  if [ -d /etc/X11/Xsession.options.d ]; then
+    run-parts --list --regex '\.conf$' /etc/X11/Xsession.options.d
+  fi
+)"
+
+has_option() {
+  # Ensure that a later no-foo overrides an earlier foo
+  if [ "$(echo "$OPTIONS" | grep -Eo "^(no-)?$1\>" | tail -n 1)" = "$1" ]; then
+    return 0
+  else
+    return 1
+  fi
+}
+
 # use run-parts to source every file in the session directory; we source
 # instead of executing so that the variables and functions defined above
 # are available to the scripts, and so that they can pass variables to each
 # other
-SESSIONFILES=$(run_parts $SYSSESSIONDIR)
+SESSIONFILES=$(run-parts --list $SYSSESSIONDIR)
 if [ -n "$SESSIONFILES" ]; then
  for SESSIONFILE in $SESSIONFILES; do
    . $SESSIONFILE

--- a/debian/changelog
+++ b/debian/changelog
+gdm3 (3.38.2.1-2ubuntu1) UNRELEASED; urgency=medium
+
+  * Merge with debian, containing new upstream version
+  * debian/control: Don't Recommend pam fprintd module, as we seed it
+  * debian/patches: Refresh
+  * debian/gdm3.prerm: Resync with debian
+  * debian/gdm3.gdm-smartcard-*: Add user_readenv=1 in pam_env.so
+  * Remaining changes with debian:
+    + readme.debian: update for correct paths in ubuntu
+    + control.in:
+      - don't recommend desktop-base
+      - build depend on libgudev-1.0-dev
+      - depend on bash for config_error_dialog.patch
+      - update vcs field
+    + rules:
+      - don't override default user/group
+      - -dgdm-xsession=true to install upstream xsession script
+      - override dh_installinit with --no-start to avoid session being killed
+    + rules, readme.debian, gdm3.8.pod:
+      use upstream custom.conf instead of daemon.conf
+    + gdm3.{postinst,postrm}: rename user and group back to gdm
+    + gdm3.*.pam: make pam_env read ~/.pam_environment, as we use in g-c-c
+      settings
+    + gdm3.install:
+      - stop installing default.desktop. it adds unnecessary clutter
+        ("system default") to the session chooser.
+      - don't install debian/xsession
+    + add run_xsession.d.patch
+    + add xresources_is_a_dir.patch
+      - fix loading from /etc/x11/xresources/*
+    + add nvidia_prime.patch:
+      - add hook to run prime-offload (as root) and prime-switch if
+        nvidia-prime is installed
+    + add revert_override_lang_with_accountservices.patch:
+      - on ubuntu accountservices only stores the language and not the
+        full locale as needed by lang.
+    + add dont_set_language_env.patch:
+      - don't run the set_up_session_language() function, since it
+        overrides variable values set by ~/.pam_environment
+    + add config_error_dialog.patch:
+      - show warning dialog in case of error in ~/.profile etc. and
+        don't let a syntax error make the login fail
+    + add debian/patches/revert_nvidia_wayland_blacklist.patch:
+      - don't blacklist nvidia for wayland
+    + add gdm3.service-wait-for-drm-device-before-trying-to-start-i.patch:
+      - wait for the first valid gdm device on pre-start
+    + add debian/default.pa
+      - disable bluetooth audio devices in pulseaudio from gdm3.
+    + debian/gdm3.install
+      - added details of the default.pa file
+    + debian/gdm3.postinst
+      - added installation of default.pa and creation of dir if it doesn't
+        exist.
+    + debian/greeter.dconf-defaults: don't set debian settings in the
+      greeter's dconf db
+
+ -- Marco Trevisan (Treviño) <marco@ubuntu.com>  Thu, 25 Feb 2021 18:05:38 +0100
+
+gdm3 (3.38.2.1-2) experimental; urgency=medium
+
+  * debian: Add gdm-smartcard PAM module implemented with libpam_sss.
+    The implementation uses update-alternatives to provide a generic
+    gdm-smartcard PAM module that can be changed using the tool.
+    Potentially other systems could be used or supported (such as pam_pkcs11
+    or pam_p11) by adding other modules implementing the gdm-smartcard auth
+    service. (LP: #1865226, Closes: #953557)
+  * debian: Add gdm-smartcard implementation using pkcs11
+  * debian/gdm3.gdm-smartcard-sssd-exclusive.pam:
+    - PAM config to use exclusive (no fallback is supported) smartcard
+      authentication via libpam_sss
+  * debian/gdm3.gdm-smartcard-sssd-or-password.pam:
+    - PAM config to optionally use smartcard authentication via libpam_sss,
+      on failure it fallbacks to password authentication
+  * debian/gdm3.gdm-smartcard-pkcs11-exclusive.pam:
+    - PAM config to use exclusive (no fallback is supported) smartcard
+      authentication via libpam_pkcs11
+  * debian/control:
+    - Suggests libam-sss and libam-pkcs11
+  * debian/gdm3.alternatives:
+    - Add gdm-smartcard alternatives to be used as /etc/pam.d/gdm-smartcard
+  * debian/patches: Cherry-pick upstream fixes, including better auth error
+    handling (LP: #1865838)
+
+ -- Marco Trevisan (Treviño) <marco@ubuntu.com>  Thu, 25 Feb 2021 16:40:24 +0100
+
+gdm3 (3.38.2.1-1) unstable; urgency=medium
+
+  * New upstream release
+  * debian/control.in: Add a Homepage field (Closes: #976768)
+
+ -- Laurent Bigonville <bigon@debian.org>  Fri, 18 Dec 2020 19:35:23 +0100
+
+gdm3 (3.38.2-1) unstable; urgency=medium
+
+  * Team upload
+
+  [ Simon McVittie ]
+  * New upstream release
+    - Fix location of locale directory
+    - display: Exit with failure if loading existing users fails
+      (GHSL-2020-202, CVE-2020-16125)
+  * Xsession: Use run-parts --list instead of reimplementing it.
+    Taken from x11-common.
+
+  [ Dmitry Borodaenko ]
+  * Implement has_option in Xsession.
+    Now that x11-common moved this function from 20x11-common_process-args
+    to Xsession (see #920778), gdm's version of Xsession also has to
+    implement it. (Closes: #972108)
+
+ -- Simon McVittie <smcv@debian.org>  Wed, 04 Nov 2020 17:41:42 +0000
+
 gdm3 (3.38.1-2ubuntu1.1) groovy-security; urgency=medium

  * SECURITY UPDATE: gnome-initial-setup launch issue

--- a/debian/control
+++ b/debian/control
@@ -7,7 +7,7 @@ Section: gnome
 Priority: optional
 Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
 XSBC-Original-Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
-Uploaders: Iain Lane <laney@debian.org>, Jeremy Bicha <jbicha@debian.org>, Laurent Bigonville <bigon@debian.org>
+Uploaders: Iain Lane <laney@debian.org>, Laurent Bigonville <bigon@debian.org>
 Build-Depends: check (>= 0.9.4),
               dconf-cli (>= 0.19.90),
               debhelper-compat (= 13),
@@ -48,6 +48,7 @@ XS-Debian-Vcs-Browser: https://salsa.debian.org/gnome-team/gdm
 Vcs-Git: https://salsa.debian.org/gnome-team/gdm.git -b ubuntu/master
 Vcs-Browser: https://salsa.debian.org/gnome-team/gdm/tree/ubuntu/master
 Rules-Requires-Root: no
+Homepage: https://wiki.gnome.org/Projects/GDM/

 Package: gdm3
 Architecture: linux-any
@@ -80,12 +81,14 @@ Depends: accountsservice (>= 0.6.35),
         ${misc:Depends},
         ${shlibs:Depends}
 Recommends: at-spi2-core,
-            libpam-fprintd (>= 0.8.0-2),
            x11-xkb-utils,
            xserver-xephyr,
            xserver-xorg,
            zenity
 Suggests: gnome-orca,
+          libpam-fprintd (>= 0.8.0-2),
+          libpam-sss (>= 2.3.0-1),
+          libpam-pkcs11,
          libpam-gnome-keyring
 Provides: x-display-manager
 Breaks: pulseaudio (<< 11.1-2),

--- a/debian/control.in
+++ b/debian/control.in
@@ -44,6 +44,7 @@ XS-Debian-Vcs-Browser: https://salsa.debian.org/gnome-team/gdm
 Vcs-Git: https://salsa.debian.org/gnome-team/gdm.git -b ubuntu/master
 Vcs-Browser: https://salsa.debian.org/gnome-team/gdm/tree/ubuntu/master
 Rules-Requires-Root: no
+Homepage: https://wiki.gnome.org/Projects/GDM/

 Package: gdm3
 Architecture: linux-any
@@ -76,12 +77,14 @@ Depends: accountsservice (>= 0.6.35),
         ${misc:Depends},
         ${shlibs:Depends}
 Recommends: at-spi2-core,
-            libpam-fprintd (>= 0.8.0-2),
            x11-xkb-utils,
            xserver-xephyr,
            xserver-xorg,
            zenity
 Suggests: gnome-orca,
+          libpam-fprintd (>= 0.8.0-2),
+          libpam-sss (>= 2.3.0-1),
+          libpam-pkcs11,
          libpam-gnome-keyring
 Provides: x-display-manager
 Breaks: pulseaudio (<< 11.1-2),

--- a/debian/gdm3.alternatives
+++ b/debian/gdm3.alternatives
+Name: gdm-smartcard
+Link: /etc/pam.d/gdm-smartcard
+Alternative: /etc/pam.d/gdm-smartcard-sssd-exclusive
+Priority: 50
+
+Name: gdm-smartcard
+Link: /etc/pam.d/gdm-smartcard
+Alternative: /etc/pam.d/gdm-smartcard-sssd-or-password
+Priority: 40
+
+Name: gdm-smartcard
+Link: /etc/pam.d/gdm-smartcard
+Alternative: /etc/pam.d/gdm-smartcard-pkcs11-exclusive
+Priority: 30
--- a/debian/gdm3.gdm-smartcard-pkcs11-exclusive.pam
+++ b/debian/gdm3.gdm-smartcard-pkcs11-exclusive.pam
+#%PAM-1.0
+auth    requisite       pam_nologin.so
+auth	required	    pam_succeed_if.so user != root quiet_success
+auth    required	    pam_pkcs11.so
+auth    optional        pam_gnome_keyring.so
+
+@include common-account
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+session required        pam_loginuid.so
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+# pam_selinux.so changes the SELinux context of the used TTY and configures
+# SELinux in order to transition to the user context with the next execve()
+# call.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+session optional        pam_keyinit.so force revoke
+session required        pam_limits.so
+session required        pam_env.so readenv=1
+session required        pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
+@include common-session
+session optional        pam_gnome_keyring.so auto_start
--- a/debian/gdm3.gdm-smartcard-sssd-exclusive.pam
+++ b/debian/gdm3.gdm-smartcard-sssd-exclusive.pam
+#%PAM-1.0
+auth    requisite       pam_nologin.so
+auth	required	    pam_succeed_if.so user != root quiet_success
+auth    required	    pam_sss.so allow_missing_name require_cert_auth
+auth    optional        pam_gnome_keyring.so
+
+@include common-account
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+session required        pam_loginuid.so
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+# pam_selinux.so changes the SELinux context of the used TTY and configures
+# SELinux in order to transition to the user context with the next execve()
+# call.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+session optional        pam_keyinit.so force revoke
+session required        pam_limits.so
+session required        pam_env.so readenv=1
+session required        pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
+@include common-session
+session optional        pam_gnome_keyring.so auto_start
--- a/debian/gdm3.gdm-smartcard-sssd-or-password.pam
+++ b/debian/gdm3.gdm-smartcard-sssd-or-password.pam
+#%PAM-1.0
+auth    requisite       pam_nologin.so
+auth	required        pam_succeed_if.so user != root quiet_success
+auth    sufficient      pam_sss.so allow_missing_name try_cert_auth
+@include common-auth
+auth    optional        pam_gnome_keyring.so
+
+@include common-account
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+session required        pam_loginuid.so
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+# pam_selinux.so changes the SELinux context of the used TTY and configures
+# SELinux in order to transition to the user context with the next execve()
+# call.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+session optional        pam_keyinit.so force revoke
+session required        pam_limits.so
+session required        pam_env.so readenv=1
+session required        pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
+@include common-session
+session optional        pam_gnome_keyring.so auto_start
+@include common-password
--- a/debian/gdm3.prerm
+++ b/debian/gdm3.prerm
@@ -61,4 +61,19 @@ if [ "$1" = "remove" -o "$1" = "deconfigure" ]; then
  fi
 fi

+
+if [ "$1" = "remove" ]; then
+  if [ -x /etc/init.d/gdm3 ]; then
+    nostop=
+    for hostname in "" "localhost" "$(hostname)" "$(hostname -f)"; do
+      if echo $DISPLAY | grep -q "^$hostname:0.*"; then
+        nostop=yes
+      fi
+    done
+    if [ -z $nostop ]; then
+      invoke-rc.d gdm3 stop
+    fi
+  fi
+fi
+
 #DEBHELPER#
--- a/debian/patches/CVE-2020-16125.patch
+++ b/debian/patches/CVE-2020-16125.patch
-Description: fail if accountsservice could not be contacted
-Origin: upstream, https://gitlab.gnome.org/GNOME/gdm/-/merge_requests/117
-
-diff --git a/daemon/gdm-display.c b/daemon/gdm-display.c
-index d1d24956f544587ab3d0924a3045b23f696e35c0..7c954ad24f861241213a85f4908d8a2ed93c30ec 100644
--- a/daemon/gdm-display.c
-+++ b/daemon/gdm-display.c
-@@ -510,13 +510,13 @@ gdm_display_real_prepare (GdmDisplay *self)
-         return TRUE;
- }
- 
-static void
-+static gboolean
- look_for_existing_users_sync (GdmDisplay *self)
- {
-         GdmDisplayPrivate *priv;
-        GError *error = NULL;
-        GVariant *call_result;
-        GVariant *user_list;
-+        g_autoptr(GError) error = NULL;
-+        g_autoptr(GVariant) call_result = NULL;
-+        g_autoptr(GVariant) user_list = NULL;
- 
-         priv = gdm_display_get_instance_private (self);
-         priv->accountsservice_proxy = g_dbus_proxy_new_sync (priv->connection,
-@@ -528,8 +528,8 @@ look_for_existing_users_sync (GdmDisplay *self)
-                                                              &error);
- 
-         if (!priv->accountsservice_proxy) {
-                g_warning ("Failed to contact accountsservice: %s", error->message);
-                goto out;
-+                g_critical ("Failed to contact accountsservice: %s", error->message);
-+                return FALSE;
-         }
- 
-         call_result = g_dbus_proxy_call_sync (priv->accountsservice_proxy,
-@@ -541,16 +541,14 @@ look_for_existing_users_sync (GdmDisplay *self)
-                                               &error);
- 
-         if (!call_result) {
-                g_warning ("Failed to list cached users: %s", error->message);
-                goto out;
-+                g_critical ("Failed to list cached users: %s", error->message);
-+                return FALSE;
-         }
- 
-         g_variant_get (call_result, "(@ao)", &user_list);
-         priv->have_existing_user_accounts = g_variant_n_children (user_list) > 0;
-        g_variant_unref (user_list);
-        g_variant_unref (call_result);
-out:
-        g_clear_error (&error);
-+
-+        return TRUE;
- }
- 
- gboolean
-@@ -568,7 +566,9 @@ gdm_display_prepare (GdmDisplay *self)
-         /* FIXME: we should probably do this in a more global place,
-          * asynchronously
-          */
-        look_for_existing_users_sync (self);
-+        if (!look_for_existing_users_sync (self)) {
-+                exit (EXIT_FAILURE);
-+        }
- 
-         priv->doing_initial_setup = wants_initial_setup (self);
- 
--- a/debian/patches/gdm-wayland-x-session-don-t-overwrite-user-env-with-fallb.patch
+++ b/debian/patches/gdm-wayland-x-session-don-t-overwrite-user-env-with-fallb.patch
+From: Gigadoc2 <gigadoc2@revreso.de>
+Date: Sat, 12 Sep 2020 19:57:46 +0200
+Subject: gdm-{wayland,x}-session: don't overwrite user env with fallback vars
+
+In both gdm-wayland-session and gdm-x-session, environment variables
+from the systemd user manager are imported, if it is available. Those
+environment variables are set up for the session-to-be-spawned, however,
+environment variables that the gdm-{wayland,x}-session process itself
+has are also inherited to the new session, and they are given preference
+over what is imported from systemd.
+
+That is not accidential, the gdm-{wayland,x}-session process has fresh
+variables as to what the new user session will be (think $DISPLAY,
+$XDG_CURRENT_DESKTOP, etc.) and those should not be overwritten by stale
+data from the systemd user manager, who might have those variables still
+set from a previous session.
+As the gdm-{wayland,x}-session process does not inherit the environment
+in which GDM itself is launched, but gets a fresh environment with only
+purposefully added variables, this is in general not a problem (i.e.
+there are no environment variables from the systemd system instance
+overwriting those in our user session).
+
+However, the GDM session worker sets a default fallback PATH for
+gdm-{wayland,x}-session. This then gets preferred over whatever the
+systemd user manager has, resulting in the session always getting the
+fallback PATH.
+
+As GDM probably needs to consider scenarios where no variables can get
+imported from the systemd user manager (maybe it is not used at all),
+removing the default PATH is not an option. Instead, this commit adds a
+list of environment variables declared as fallbacks, for which we the
+imported variables _do_ get preference over our own ones. Currently,
+this is only PATH.
+
+Closes: https://gitlab.gnome.org/GNOME/gdm/-/issues/385
+
+Origin: https://gitlab.gnome.org/GNOME/gdm/-/commit/ccecd9c9
+---
+ daemon/gdm-wayland-session.c | 22 +++++++++++++++++++++-
+ daemon/gdm-x-session.c       | 22 +++++++++++++++++++++-
+ 2 files changed, 42 insertions(+), 2 deletions(-)
+
+diff --git a/daemon/gdm-wayland-session.c b/daemon/gdm-wayland-session.c
+index 35679b1..d0404d2 100644
+--- a/daemon/gdm-wayland-session.c
+++ b/daemon/gdm-wayland-session.c
+@@ -289,6 +289,17 @@ spawn_session (State        *state,
+                                                     "WAYLAND_SOCKET",
+                                                     "GNOME_SHELL_SESSION_MODE",
+                                                     NULL };
+        /* The environment variables listed below are those we have set (or
+         * received from our own execution environment) only as a fallback to
+         * make things work, as opposed to a information directly pertaining to
+         * the session about to be started. Variables listed here will not
+         * overwrite the existing environment (possibly) imported from the
+         * systemd --user instance.
+         * As an example: We need a PATH for some of the launched subprocesses
+         * to work, but if the user (or the distributor) has customized the PATH
+         * via one of systemds user-environment-generators, that version should
+         * be preferred. */
+        static const char  *fallback_variables[] = { "PATH", NULL };
+ 
+         g_debug ("Running wayland session");
+ 
+@@ -320,7 +331,16 @@ spawn_session (State        *state,
+                                 continue;
+                         }
+ 
+-                        g_subprocess_launcher_setenv (launcher, environment_entry[0], environment_entry[1], FALSE);
+                        /* Merge the environment block imported from systemd --user with the
+                         * environment we have set for ourselves (and thus pass on to the
+                         * launcher process). Variables we have set have precedence, as to not
+                         * import stale data from prior user sessions, with the exception of
+                         * those listed in fallback_variables. See the comment there for more
+                         * explanations. */
+                        g_subprocess_launcher_setenv (launcher,
+                                                      environment_entry[0],
+                                                      environment_entry[1],
+                                                      g_strv_contains (fallback_variables, environment_entry[0]));
+                 }
+ 
+                 /* Don't allow session specific environment variables from earlier sessions to
+diff --git a/daemon/gdm-x-session.c b/daemon/gdm-x-session.c
+index b154836..5962da5 100644
+--- a/daemon/gdm-x-session.c
+++ b/daemon/gdm-x-session.c
+@@ -615,6 +615,17 @@ spawn_session (State        *state,
+                                                      "WAYLAND_SOCKET",
+                                                      "GNOME_SHELL_SESSION_MODE",
+                                                      NULL };
+        /* The environment variables listed below are those we have set (or
+         * received from our own execution environment) only as a fallback to
+         * make things work, as opposed to a information directly pertaining to
+         * the session about to be started. Variables listed here will not
+         * overwrite the existing environment (possibly) imported from the
+         * systemd --user instance.
+         * As an example: We need a PATH for some of the launched subprocesses
+         * to work, but if the user (or the distributor) has customized the PATH
+         * via one of systemds user-environment-generators, that version should
+         * be preferred. */
+        static const char  *fallback_variables[] = { "PATH", NULL };
+ 
+         g_debug ("Running X session");
+ 
+@@ -636,7 +647,16 @@ spawn_session (State        *state,
+                                 continue;
+                         }
+ 
+-                        g_subprocess_launcher_setenv (launcher, environment_entry[0], environment_entry[1], FALSE);
+                        /* Merge the environment block imported from systemd --user with the
+                         * environment we have set for ourselves (and thus pass on to the
+                         * launcher process). Variables we have set have precedence, as to not
+                         * import stale data from prior user sessions, with the exception of
+                         * those listed in fallback_variables. See the comment there for more
+                         * explanations. */
+                        g_subprocess_launcher_setenv (launcher,
+                                                      environment_entry[0],
+                                                      environment_entry[1],
+                                                      g_strv_contains (fallback_variables, environment_entry[0]));
+                 }
+ 
+                 /* Don't allow session specific environment variables from earlier sessions to
--- a/debian/patches/series
+++ b/debian/patches/series
+session-worker-Use-a-clearer-message-on-max-retries-error.patch
+session-worker-Mention-the-authentication-method-if-known.patch
+session-worker-Remove-stray-comma.patch
+session-Threat-PAM-max-retries-error-as-service-unavailab.patch
+gdm-wayland-x-session-don-t-overwrite-user-env-with-fallb.patch
 16_xserver_path.patch
 90_config_comments.patch
 91_dconf_database_path.patch
@@ -13,4 +18,3 @@ ubuntu/dont_set_language_env.patch
 ubuntu/prefer_ubuntu_session_fallback.patch
 ubuntu/gdm3.service-wait-for-drm-device-before-trying-to-start-i.patch
 ubuntu/XSession-Use-x-terminal-emulator-as-fallback-instead-of-x.patch
-CVE-2020-16125.patch
--- a/debian/patches/session-Threat-PAM-max-retries-error-as-service-unavailab.patch
+++ b/debian/patches/session-Threat-PAM-max-retries-error-as-service-unavailab.patch
+From: =?utf-8?b?Ik1hcmNvIFRyZXZpc2FuIChUcmV2acOxbyki?= <mail@3v1n0.net>
+Date: Tue, 16 Feb 2021 01:33:11 +0100
+Subject: session: Threat PAM max retries error as service unavailable
+
+When a service has returned PAM_MAXTRIES error code we should both emit
+the error message and also ensure that this service isn't marked as
+available again for the current session, to prevent us to restart the
+authentication of it.
+
+An example of this can be the PAM fprintd module that will return us a
+max retries error when the user tried to use his finger more times than
+configured. In such scenario we want to both prompt the error to the
+user and prevent that this module is used again if the user can still
+use other authentication methods.
+
+So add an error specialization for PAM_MAXTRIES and threat it as service
+unavailable error when emitting it.
+
+Origin: https://gitlab.gnome.org/GNOME/gdm/-/commit/504fec05
+---
+ daemon/gdm-session-worker-common.h | 1 +
+ daemon/gdm-session-worker.c        | 7 +++++++
+ daemon/gdm-session.c               | 5 ++++-
+ 3 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/daemon/gdm-session-worker-common.h b/daemon/gdm-session-worker-common.h
+index a55e2b2..7dab7d4 100644
+--- a/daemon/gdm-session-worker-common.h
+++ b/daemon/gdm-session-worker-common.h
+@@ -36,6 +36,7 @@ typedef enum _GdmSessionWorkerError {
+         GDM_SESSION_WORKER_ERROR_COMMUNICATING,
+         GDM_SESSION_WORKER_ERROR_WORKER_DIED,
+         GDM_SESSION_WORKER_ERROR_SERVICE_UNAVAILABLE,
+        GDM_SESSION_WORKER_ERROR_TOO_MANY_RETRIES,
+         GDM_SESSION_WORKER_ERROR_AUTHENTICATING,
+         GDM_SESSION_WORKER_ERROR_AUTHORIZING,
+         GDM_SESSION_WORKER_ERROR_OPENING_LOG_FILE,
+diff --git a/daemon/gdm-session-worker.c b/daemon/gdm-session-worker.c
+index e4d2e3f..cb53e46 100644
+--- a/daemon/gdm-session-worker.c
+++ b/daemon/gdm-session-worker.c
+@@ -1283,6 +1283,13 @@ gdm_session_worker_authenticate_user (GdmSessionWorker *worker,
+                              GDM_SESSION_WORKER_ERROR_SERVICE_UNAVAILABLE,
+                              "%s", "");
+                 goto out;
+        } else if (error_code == PAM_MAXTRIES) {
+                g_debug ("GdmSessionWorker: authentication service had too many retries");
+                g_set_error_literal (error,
+                                     GDM_SESSION_WORKER_ERROR,
+                                     GDM_SESSION_WORKER_ERROR_TOO_MANY_RETRIES,
+                                     get_friendly_error_message (worker, error_code));
+                goto out;
+         } else if (error_code != PAM_SUCCESS) {
+                 g_debug ("GdmSessionWorker: authentication returned %d: %s", error_code, pam_strerror (worker->priv->pam_handle, error_code));
+ 
+diff --git a/daemon/gdm-session.c b/daemon/gdm-session.c
+index ca7d98f..bab470b 100644
+--- a/daemon/gdm-session.c
+++ b/daemon/gdm-session.c
+@@ -220,7 +220,10 @@ report_and_stop_conversation (GdmSession *self,
+         if (self->user_verifier_interface != NULL) {
+                 if (g_error_matches (error,
+                                      GDM_SESSION_WORKER_ERROR,
+-                                     GDM_SESSION_WORKER_ERROR_SERVICE_UNAVAILABLE)) {
+                                     GDM_SESSION_WORKER_ERROR_SERVICE_UNAVAILABLE) ||
+                    g_error_matches (error,
+                                     GDM_SESSION_WORKER_ERROR,
+                                     GDM_SESSION_WORKER_ERROR_TOO_MANY_RETRIES)) {
+                         gdm_dbus_user_verifier_emit_service_unavailable (self->user_verifier_interface,
+                                                                          service_name,
+                                                                          error->message);
--- a/debian/patches/session-worker-Mention-the-authentication-method-if-known.patch
+++ b/debian/patches/session-worker-Mention-the-authentication-method-if-known.patch
+From: =?utf-8?b?Ik1hcmNvIFRyZXZpc2FuIChUcmV2acOxbyki?= <mail@3v1n0.net>
+Date: Tue, 24 Nov 2020 18:24:34 +0100
+Subject: session-worker: Mention the authentication method (if known) on
+ error messages
+
+When we use a gdm well known authentication method, we can be a bit more
+clear when showing the error to the user on what explicitly failed.
+
+So add functions to get the friendly error message per authentication
+method.
+
+To make them clearer for translators, I've added some repeated strings
+as generating them could lead to misleading results in some locales.
+
+Origin: https://gitlab.gnome.org/GNOME/gdm/-/commit/e2f3b1a5
+---
+ daemon/gdm-session-worker.c | 53 ++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 48 insertions(+), 5 deletions(-)
+
+diff --git a/daemon/gdm-session-worker.c b/daemon/gdm-session-worker.c
+index 8d9aca7..162c1a9 100644
+--- a/daemon/gdm-session-worker.c
+++ b/daemon/gdm-session-worker.c
+@@ -744,7 +744,50 @@ gdm_session_worker_process_pam_message (GdmSessionWorker          *worker,
+ }
+ 
+ static const char *
+-get_friendly_error_message (int error_code)
+get_max_retries_error_message (GdmSessionWorker *worker)
+{
+        if (g_strcmp0 (worker->priv->service, "gdm-password") == 0)
+                return _("You reached the maximum password authentication attempts, please try another method");
+
+        if (g_strcmp0 (worker->priv->service, "gdm-pin") == 0)
+                return _("You reached the maximum PIN authentication attempts, please try another method");
+
+        if (g_strcmp0 (worker->priv->service, "gdm-autologin") == 0)
+                return _("You reached the maximum auto login attempts, please try another authentication method");
+
+        if (g_strcmp0 (worker->priv->service, "gdm-fingerprint") == 0)
+                return _("You reached the maximum fingerprint authentication attempts, please try another method");
+
+        if (g_strcmp0 (worker->priv->service, "gdm-smartcard") == 0)
+                return _("You reached the maximum smart card authentication attempts, please try another method");
+
+        return _("You reached the maximum authentication attempts, please try another method");
+}
+
+static const char *
+get_generic_error_message (GdmSessionWorker *worker)
+{
+        if (g_strcmp0 (worker->priv->service, "gdm-password") == 0)
+                return _("Sorry, password authentication didn’t work. Please try again.");
+
+        if (g_strcmp0 (worker->priv->service, "gdm-pin") == 0)
+                return _("Sorry, PIN authentication didn’t work. Please try again.");
+
+        if (g_strcmp0 (worker->priv->service, "gdm-autologin") == 0)
+                return _("Sorry, auto login, didn’t work. Please try again.");
+
+        if (g_strcmp0 (worker->priv->service, "gdm-fingerprint") == 0)
+                return _("Sorry, fingerprint authentication didn’t work. Please try again.");
+
+        if (g_strcmp0 (worker->priv->service, "gdm-smartcard") == 0)
+                return _("Sorry, smart card authentication didn’t work. Please try again.");
+
+        return _("Sorry, that didn’t work. Please try again.");
+}
+
+static const char *
+get_friendly_error_message (GdmSessionWorker *worker,
+                            int               error_code)
+ {
+         switch (error_code) {
+             case PAM_SUCCESS:
+@@ -758,13 +801,13 @@ get_friendly_error_message (int error_code)
+                 break;
+ 
+             case PAM_MAXTRIES:
+-                return _("You reached the maximum authentication attempts, please try another method");
+                return get_max_retries_error_message (worker);
+ 
+             default:
+                 break;
+         }
+ 
+-        return _("Sorry, that didn’t work. Please try again.");
+        return get_generic_error_message (worker);
+ }
+ 
+ static int
+@@ -1254,7 +1297,7 @@ gdm_session_worker_authenticate_user (GdmSessionWorker *worker,
+                 g_set_error (error,
+                              GDM_SESSION_WORKER_ERROR,
+                              GDM_SESSION_WORKER_ERROR_AUTHENTICATING,
+-                             "%s", get_friendly_error_message (error_code));
+                             "%s", get_friendly_error_message (worker, error_code));
+                 goto out;
+         }
+ 
+@@ -1319,7 +1362,7 @@ gdm_session_worker_authorize_user (GdmSessionWorker *worker,
+                 g_set_error (error,
+                              GDM_SESSION_WORKER_ERROR,
+                              GDM_SESSION_WORKER_ERROR_AUTHORIZING,
+-                             "%s", get_friendly_error_message (error_code));
+                             "%s", get_friendly_error_message (worker, error_code));
+                 goto out;
+         }
+ 
--- a/debian/patches/session-worker-Remove-stray-comma.patch
+++ b/debian/patches/session-worker-Remove-stray-comma.patch
+From: =?utf-8?b?Ik1hcmNvIFRyZXZpc2FuIChUcmV2acOxbyki?= <mail@3v1n0.net>
+Date: Mon, 21 Dec 2020 16:53:55 +0100
+Subject: session-worker: Remove stray comma
+
+Origin: https://gitlab.gnome.org/GNOME/gdm/-/commit/40bf4d3e
+---
+ daemon/gdm-session-worker.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/daemon/gdm-session-worker.c b/daemon/gdm-session-worker.c
+index 162c1a9..e4d2e3f 100644
+--- a/daemon/gdm-session-worker.c
+++ b/daemon/gdm-session-worker.c
+@@ -774,7 +774,7 @@ get_generic_error_message (GdmSessionWorker *worker)
+                 return _("Sorry, PIN authentication didn’t work. Please try again.");
+ 
+         if (g_strcmp0 (worker->priv->service, "gdm-autologin") == 0)
+-                return _("Sorry, auto login, didn’t work. Please try again.");
+                return _("Sorry, auto login didn’t work. Please try again.");
+ 
+         if (g_strcmp0 (worker->priv->service, "gdm-fingerprint") == 0)
+                 return _("Sorry, fingerprint authentication didn’t work. Please try again.");