diff -Nru libpng-1.2.51/debian/changelog libpng-1.2.51/debian/changelog
--- libpng-1.2.51/debian/changelog	2014-10-21 14:30:02.000000000 -0400
+++ libpng-1.2.51/debian/changelog	2015-11-18 20:25:50.000000000 -0500
@@ -1,3 +1,14 @@
+libpng (1.2.51-0ubuntu3.15.04.1) vivid-security; urgency=medium
+
+  * SECURITY UPDATE: Multiple buffer overflows in the (1) png_set_PLTE
+    and (2) png_get_PLTE (LP: #1516592).
+   - debian/patches/CVE-2015-8126.diff: Prevent writing over-length
+     PLTE chunk and silently truncate over-length PLTE chunk while reading.
+     Backported from upstream patch.
+   - CVE-2015-8126
+
+ -- Andrew Starr-Bochicchio <a.starr.b@gmail.com>  Wed, 18 Nov 2015 19:29:31 -0500
+
 libpng (1.2.51-0ubuntu3) utopic; urgency=medium
 
   * No-change rebuild to get debug symbols on all architectures.
diff -Nru libpng-1.2.51/debian/patches/CVE-2015-8126.diff libpng-1.2.51/debian/patches/CVE-2015-8126.diff
--- libpng-1.2.51/debian/patches/CVE-2015-8126.diff	1969-12-31 19:00:00.000000000 -0500
+++ libpng-1.2.51/debian/patches/CVE-2015-8126.diff	2015-11-18 19:27:15.000000000 -0500
@@ -0,0 +1,114 @@
+Origin: backport
+From 475bab6170f651b9863e9fc1b8ffd6cd89a45aa0 Mon Sep 17 00:00:00 2001
+From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
+Date: Sat, 31 Oct 2015 08:39:01 -0500
+Ubuntu-Bug: https://bugs.launchpad.net/ubuntu/+source/libpng/+bug/1516592
+Subject: [PATCH] [libpng12] Prevent writing over-length PLTE chunk (Cosmin
+ Truta) and silently truncate over-length PLTE chunk while reading.
+
+Index: libpng-1.2.51/pngrutil.c
+===================================================================
+--- libpng-1.2.51.orig/pngrutil.c	2014-02-05 22:52:35.000000000 -0500
++++ libpng-1.2.51/pngrutil.c	2015-11-18 19:23:29.242394925 -0500
+@@ -503,7 +503,7 @@
+ png_handle_PLTE(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
+ {
+    png_color palette[PNG_MAX_PALETTE_LENGTH];
+-   int num, i;
++   int max_palette_length, num, i;
+ #ifdef PNG_POINTER_INDEXING_SUPPORTED
+    png_colorp pal_ptr;
+ #endif
+@@ -555,8 +555,22 @@
+       }
+    }
+ 
++   /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
+    num = (int)length / 3;
+ 
++   /* If the palette has 256 or fewer entries but is too large for the bit
++    * depth, we don't issue an error, to preserve the behavior of previous
++    * libpng versions. We silently truncate the unused extra palette entries
++    * here.
++    */
++   if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
++      max_palette_length = (1 << png_ptr->bit_depth);
++   else
++      max_palette_length = PNG_MAX_PALETTE_LENGTH;
++
++   if (num > max_palette_length)
++      num = max_palette_length;
++
+ #ifdef PNG_POINTER_INDEXING_SUPPORTED
+    for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
+    {
+@@ -589,7 +603,7 @@
+    if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+ #endif
+    {
+-      png_crc_finish(png_ptr, 0);
++      png_crc_finish(png_ptr, (int) length - num * 3);
+    }
+ #ifndef PNG_READ_OPT_PLTE_SUPPORTED
+    else if (png_crc_error(png_ptr))  /* Only if we have a CRC error */
+Index: libpng-1.2.51/pngset.c
+===================================================================
+--- libpng-1.2.51.orig/pngset.c	2014-02-05 22:52:35.000000000 -0500
++++ libpng-1.2.51/pngset.c	2015-11-18 19:20:24.182230859 -0500
+@@ -446,12 +446,17 @@
+    png_colorp palette, int num_palette)
+ {
+ 
++   png_uint_32 max_palette_length;
++
+    png_debug1(1, "in %s storage function", "PLTE");
+ 
+    if (png_ptr == NULL || info_ptr == NULL)
+       return;
+ 
+-   if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH)
++   max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
++      (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
++
++   if (num_palette < 0 || num_palette > (int) max_palette_length)
+    {
+       if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+          png_error(png_ptr, "Invalid palette length");
+@@ -471,8 +476,8 @@
+ #endif
+ 
+    /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
+-    * of num_palette entries, in case of an invalid PNG file that has
+-    * too-large sample values.
++    * of num_palette entries, in case of an invalid PNG file or incorrect
++    * call to png_set_PLTE() with too-large sample values.
+     */
+    png_ptr->palette = (png_colorp)png_calloc(png_ptr,
+       PNG_MAX_PALETTE_LENGTH * png_sizeof(png_color));
+Index: libpng-1.2.51/pngwutil.c
+===================================================================
+--- libpng-1.2.51.orig/pngwutil.c	2014-02-05 22:52:35.000000000 -0500
++++ libpng-1.2.51/pngwutil.c	2015-11-18 19:20:24.182230859 -0500
+@@ -575,17 +575,20 @@
+ #ifdef PNG_USE_LOCAL_ARRAYS
+    PNG_PLTE;
+ #endif
+-   png_uint_32 i;
++   png_uint_32 max_palette_length, i;
+    png_colorp pal_ptr;
+    png_byte buf[3];
+ 
+    png_debug(1, "in png_write_PLTE");
+ 
++   max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
++      (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
++
+    if ((
+ #ifdef PNG_MNG_FEATURES_SUPPORTED
+         !(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) &&
+ #endif
+-        num_pal == 0) || num_pal > 256)
++       num_pal == 0) || num_pal > max_palette_length)
+    {
+      if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+      {
diff -Nru libpng-1.2.51/debian/patches/series libpng-1.2.51/debian/patches/series
--- libpng-1.2.51/debian/patches/series	2014-07-25 08:08:30.000000000 -0400
+++ libpng-1.2.51/debian/patches/series	2015-11-18 19:18:29.000000000 -0500
@@ -1,2 +1,3 @@
 01-legacy.patch
 libpng-config.diff
+CVE-2015-8126.diff