diff --git a/SOURCES/libpng-CVE-2015-8126.patch b/SOURCES/libpng-CVE-2015-8126.patch
new file mode 100644
index 0000000..c3528f4
--- /dev/null
+++ b/SOURCES/libpng-CVE-2015-8126.patch
@@ -0,0 +1,107 @@
+diff --git a/pngrutil.c b/pngrutil.c
+index 4ef05fe..f6f0864 100644
+--- a/pngrutil.c
++++ b/pngrutil.c
+@@ -596,7 +596,7 @@ void /* PRIVATE */
+ png_handle_PLTE(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
+ {
+    png_color palette[PNG_MAX_PALETTE_LENGTH];
+-   int num, i;
++   int max_palette_length, num, i;
+ #ifdef PNG_POINTER_INDEXING_SUPPORTED
+    png_colorp pal_ptr;
+ #endif
+@@ -648,9 +648,21 @@ png_handle_PLTE(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
+          png_error(png_ptr, "Invalid palette chunk");
+       }
+    }
+-
++   /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
+    num = (int)length / 3;
+ 
++   /* If the palette has 256 or fewer entries but is too large for the bit
++    * depth, we don't issue an error, to preserve the behavior of previous
++    * libpng versions. We silently truncate the unused extra palette entries
++    * here.
++    */
++   if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
++      max_palette_length = (1 << png_ptr->bit_depth);
++   else
++      max_palette_length = PNG_MAX_PALETTE_LENGTH;
++   if (num > max_palette_length)
++      num = max_palette_length;
++
+ #ifdef PNG_POINTER_INDEXING_SUPPORTED
+    for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
+    {
+@@ -683,7 +695,7 @@ png_handle_PLTE(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
+    if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+ #endif
+    {
+-      png_crc_finish(png_ptr, 0);
++      png_crc_finish(png_ptr, (int) length - num * 3);
+    }
+ 
+ #ifndef PNG_READ_OPT_PLTE_SUPPORTED
+diff --git a/pngset.c b/pngset.c
+index 8e3f39a..c252088 100644
+--- a/pngset.c
++++ b/pngset.c
+@@ -517,13 +517,17 @@ png_set_PLTE(png_structp png_ptr, png_infop info_ptr,
+     png_const_colorp palette, int num_palette)
+ {
+ 
++   png_uint_32 max_palette_length;
++
+    png_debug1(1, "in %s storage function", "PLTE");
+ 
+    if (png_ptr == NULL || info_ptr == NULL)
+       return;
+ 
+-   if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH)
+-   {
++   max_palette_length = (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
++      (1 << info_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
++
++   if (num_palette < 0 || num_palette > (int) max_palette_length)   {
+       if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+          png_error(png_ptr, "Invalid palette length");
+ 
+@@ -551,8 +555,8 @@ png_set_PLTE(png_structp png_ptr, png_infop info_ptr,
+    png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
+ 
+    /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
+-    * of num_palette entries, in case of an invalid PNG file that has
+-    * too-large sample values.
++    * of num_palette entries, in case of an invalid PNG file or incorrect
++    * call to png_set_PLTE() with too-large sample values.
+     */
+    png_ptr->palette = (png_colorp)png_calloc(png_ptr,
+        PNG_MAX_PALETTE_LENGTH * png_sizeof(png_color));
+diff --git a/pngwutil.c b/pngwutil.c
+index 19b75af..7ecaaca 100644
+--- a/pngwutil.c
++++ b/pngwutil.c
+@@ -896,17 +896,20 @@ void /* PRIVATE */
+ png_write_PLTE(png_structp png_ptr, png_const_colorp palette,
+     png_uint_32 num_pal)
+ {
+-   png_uint_32 i;
++   png_uint_32 max_palette_length, i;
+    png_const_colorp pal_ptr;
+    png_byte buf[3];
+ 
++   max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
++      (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
++
+    png_debug(1, "in png_write_PLTE");
+ 
+    if ((
+ #ifdef PNG_MNG_FEATURES_SUPPORTED
+        !(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) &&
+ #endif
+-       num_pal == 0) || num_pal > 256)
++       num_pal == 0) || num_pal > max_palette_length)
+    {
+       if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+       {
diff --git a/SPECS/libpng.spec b/SPECS/libpng.spec
index 0d04f1a..cce2847 100644
--- a/SPECS/libpng.spec
+++ b/SPECS/libpng.spec
@@ -2,7 +2,7 @@ Summary: A library of functions for manipulating PNG image format files
 Name: libpng
 Epoch: 2
 Version: 1.5.13
-Release: 5%{?dist}
+Release: 7%{?dist}
 License: zlib
 Group: System Environment/Libraries
 URL: http://www.libpng.org/pub/png/
@@ -15,6 +15,7 @@ Source1: pngusr.dfa
 
 Patch0: libpng-multilib.patch
 Patch1: libpng-CVE-2013-6954.patch
+Patch2: libpng-CVE-2015-8126.patch
 
 BuildRequires: zlib-devel, pkgconfig
 
@@ -60,6 +61,7 @@ cp -p %{SOURCE1} .
 
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 %build
 %configure
@@ -91,6 +93,15 @@ rm -rf $RPM_BUILD_ROOT%{_libdir}/*.la
 %{_libdir}/libpng*.a
 
 %changelog
+* Sat Nov 28 2015 Petr Hracek <phracek@redhat.com> - 2:1.5.13-7
+- Security fix for CVE-2015-8126
+- Changing png_ptr to info_ptf based on upstream
+- Related: #1283576
+
+* Fri Nov 20 2015 Petr Hracek <phracek@redhat.com> - 2:1.5.13-6
+- Security fix for CVE-2015-8126
+- Resolves: #1283576
+
 * Wed Jan 29 2014 Petr Hracek <phracek@redhat.com> - 2:1.5.13-5
 - Adding patch CVE-2013-6954
 - Resolves: #1056863