diff -Nru tcpdump-4.5.1/debian/changelog tcpdump-4.5.1/debian/changelog
--- tcpdump-4.5.1/debian/changelog	2014-12-03 21:40:14.000000000 +0000
+++ tcpdump-4.5.1/debian/changelog	2015-04-24 17:06:07.000000000 +0000
@@ -1,3 +1,24 @@
+tcpdump (4.5.1-2ubuntu1.2) trusty-security; urgency=medium
+
+  * SECURITY UPDATE: denial of service and possible code execution via
+    multiple issues (LP: #1444363)
+    - debian/patches/60_cve-2015-0261.diff: check lengths in
+      print-mobility.c.
+    - debian/patches/60_cve-2015-2153.diff: check length in
+      print-rpki-rtr.c.
+    - debian/patches/60_cve-2015-2153-fix-regression.diff: more length
+      checks in print-rpki-rtr.c.
+    - debian/patches/60_cve-2015-2154.diff: check lengths in
+      print-isoclns.c.
+    - debian/patches/60_cve-2015-2155.diff: make sure ops->print is valid
+      in print-forces.c.
+    - CVE-2015-0261
+    - CVE-2015-2153
+    - CVE-2015-2154
+    - CVE-2015-2155
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 24 Apr 2015 13:06:07 -0400
+
 tcpdump (4.5.1-2ubuntu1.1) trusty-security; urgency=medium
 
   * SECURITY UPDATE: denial of service and possible code execution in
diff -Nru tcpdump-4.5.1/debian/patches/60_cve-2015-0261.diff tcpdump-4.5.1/debian/patches/60_cve-2015-0261.diff
--- tcpdump-4.5.1/debian/patches/60_cve-2015-0261.diff	1970-01-01 00:00:00.000000000 +0000
+++ tcpdump-4.5.1/debian/patches/60_cve-2015-0261.diff	2015-04-24 17:27:04.000000000 +0000
@@ -0,0 +1,59 @@
+Description: fix denial of service and possible code execution
+Origin: vendor, backport of patch from Debian 4.6.2-4 package
+
+Index: tcpdump-4.5.1/print-mobility.c
+===================================================================
+--- tcpdump-4.5.1.orig/print-mobility.c	2015-04-24 12:59:49.274736915 -0400
++++ tcpdump-4.5.1/print-mobility.c	2015-04-24 12:59:49.274736915 -0400
+@@ -74,6 +74,18 @@
+ #define IP6M_BINDING_UPDATE	5	/* Binding Update */
+ #define IP6M_BINDING_ACK	6	/* Binding Acknowledgement */
+ #define IP6M_BINDING_ERROR	7	/* Binding Error */
++#define IP6M_MAX		7
++
++static const unsigned ip6m_hdrlen[IP6M_MAX + 1] = {
++	IP6M_MINLEN,      /* IP6M_BINDING_REQUEST  */
++	IP6M_MINLEN + 8,  /* IP6M_HOME_TEST_INIT   */
++	IP6M_MINLEN + 8,  /* IP6M_CAREOF_TEST_INIT */
++	IP6M_MINLEN + 16, /* IP6M_HOME_TEST        */
++	IP6M_MINLEN + 16, /* IP6M_CAREOF_TEST      */
++	IP6M_MINLEN + 4,  /* IP6M_BINDING_UPDATE   */
++	IP6M_MINLEN + 4,  /* IP6M_BINDING_ACK      */
++	IP6M_MINLEN + 16, /* IP6M_BINDING_ERROR    */
++};
+ 
+ /* Mobility Header Options */
+ #define IP6MOPT_MINLEN		2
+@@ -95,16 +107,20 @@
+ 	int optlen;
+ 
+ 	for (i = 0; i < len; i += optlen) {
++		TCHECK(bp[i]);
+ 		if (bp[i] == IP6MOPT_PAD1)
+ 			optlen = 1;
+ 		else {
+-			if (i + 1 < len)
++			if (i + 1 < len) {
++				TCHECK(bp[i + 1]);
+ 				optlen = bp[i + 1] + 2;
++			}
+ 			else
+ 				goto trunc;
+ 		}
+ 		if (i + optlen > len)
+ 			goto trunc;
++		TCHECK(bp[i + optlen]);
+ 
+ 		switch (bp[i]) {
+ 		case IP6MOPT_PAD1:
+@@ -201,6 +217,10 @@
+ 
+ 	TCHECK(mh->ip6m_type);
+ 	type = mh->ip6m_type;
++	if (type <= IP6M_MAX && mhlen < ip6m_hdrlen[type]) {
++		printf("(header length %u is too small for type %u)", mhlen, type);
++		goto trunc;
++	}
+ 	switch (type) {
+ 	case IP6M_BINDING_REQUEST:
+ 		printf("mobility: BRR");
diff -Nru tcpdump-4.5.1/debian/patches/60_cve-2015-2153.diff tcpdump-4.5.1/debian/patches/60_cve-2015-2153.diff
--- tcpdump-4.5.1/debian/patches/60_cve-2015-2153.diff	1970-01-01 00:00:00.000000000 +0000
+++ tcpdump-4.5.1/debian/patches/60_cve-2015-2153.diff	2015-04-24 17:18:04.000000000 +0000
@@ -0,0 +1,27 @@
+Description: fix denial of service and possible code execution
+Origin: vendor, backport of patch from Debian 4.6.2-4 package
+
+Index: tcpdump-4.5.1/print-rpki-rtr.c
+===================================================================
+--- tcpdump-4.5.1.orig/print-rpki-rtr.c	2015-04-24 13:00:04.298649590 -0400
++++ tcpdump-4.5.1/print-rpki-rtr.c	2015-04-24 13:00:04.294649613 -0400
+@@ -184,6 +184,7 @@
+     pdu_header = (rpki_rtr_pdu *)tptr;
+     pdu_type = pdu_header->pdu_type;
+     pdu_len = EXTRACT_32BITS(pdu_header->length);
++    TCHECK2(tptr, pdu_len);
+     hexdump = FALSE;
+ 
+     printf("%sRPKI-RTRv%u, %s PDU (%u), length: %u",
+@@ -312,6 +313,11 @@
+     if (vflag > 1 || (vflag && hexdump)) {
+ 	print_unknown_data(tptr,"\n\t  ", pdu_len);
+     }
++    return;
++
++ trunc:
++    printf("|trunc");
++    return;
+ }
+ 
+ void
diff -Nru tcpdump-4.5.1/debian/patches/60_cve-2015-2153-fix-regression.diff tcpdump-4.5.1/debian/patches/60_cve-2015-2153-fix-regression.diff
--- tcpdump-4.5.1/debian/patches/60_cve-2015-2153-fix-regression.diff	1970-01-01 00:00:00.000000000 +0000
+++ tcpdump-4.5.1/debian/patches/60_cve-2015-2153-fix-regression.diff	2015-04-24 17:18:21.000000000 +0000
@@ -0,0 +1,54 @@
+Description: RPKI to Router Protocol: Fix Segmentation Faults and other problems.
+                 - Fix/add ND_TCHECK2 tests,
+                 - Fix a buffer overflow,
+                 - Remove a debug printf
+Origin: backport, https://github.com/the-tcpdump-group/tcpdump/commit/fb6e5377f392555b8c725f66b8b701f0061a3695
+
+Index: tcpdump-4.5.1/print-rpki-rtr.c
+===================================================================
+--- tcpdump-4.5.1.orig/print-rpki-rtr.c	2015-04-24 13:00:14.474590178 -0400
++++ tcpdump-4.5.1/print-rpki-rtr.c	2015-04-24 13:01:07.579134778 -0400
+@@ -184,7 +184,7 @@
+     pdu_header = (rpki_rtr_pdu *)tptr;
+     pdu_type = pdu_header->pdu_type;
+     pdu_len = EXTRACT_32BITS(pdu_header->length);
+-    TCHECK2(tptr, pdu_len);
++    TCHECK2(*tptr, pdu_len);
+     hexdump = FALSE;
+ 
+     printf("%sRPKI-RTRv%u, %s PDU (%u), length: %u",
+@@ -261,6 +261,7 @@
+ 
+ 	    pdu = (rpki_rtr_pdu_error_report *)tptr;
+ 	    encapsulated_pdu_length = EXTRACT_32BITS(pdu->encapsulated_pdu_length);
++	    TCHECK2(*tptr, encapsulated_pdu_length);
+ 	    tlen = pdu_len;
+ 
+ 	    error_code = EXTRACT_16BITS(pdu->pdu_header.u.error_code);
+@@ -293,9 +294,10 @@
+ 		tptr += 4;
+ 		tlen -= 4;
+ 	    }
++	    TCHECK2(*tptr, text_length);
+ 	    if (text_length && (text_length <= tlen )) {
+ 		memcpy(buf, tptr, MIN(sizeof(buf)-1, text_length));
+-		buf[text_length] = '\0';
++		buf[min(sizeof(buf) - 1, text_length)] = '\0';
+ 		printf("%sError text: %s", indent_string(indent+2), buf);
+ 	    }
+ 	}
+@@ -342,13 +344,13 @@
+ 	pdu_header = (rpki_rtr_pdu *)tptr;
+         pdu_type = pdu_header->pdu_type;
+         pdu_len = EXTRACT_32BITS(pdu_header->length);
++	TCHECK2(*tptr, pdu_len);
+ 
+         /* infinite loop check */
+         if (!pdu_type || !pdu_len) {
+             break;
+         }
+ 
+-        TCHECK2(*tptr, pdu_len);
+         if (tlen < pdu_len) {
+             goto trunc;
+         }
diff -Nru tcpdump-4.5.1/debian/patches/60_cve-2015-2154.diff tcpdump-4.5.1/debian/patches/60_cve-2015-2154.diff
--- tcpdump-4.5.1/debian/patches/60_cve-2015-2154.diff	1970-01-01 00:00:00.000000000 +0000
+++ tcpdump-4.5.1/debian/patches/60_cve-2015-2154.diff	2015-04-24 17:13:29.000000000 +0000
@@ -0,0 +1,34 @@
+Description: fix denial of service and possible code execution
+Origin: vendor, backport of patch from Debian 4.6.2-4 package
+
+Index: tcpdump-4.5.1/print-isoclns.c
+===================================================================
+--- tcpdump-4.5.1.orig/print-isoclns.c	2015-04-24 13:07:47.859488520 -0400
++++ tcpdump-4.5.1/print-isoclns.c	2015-04-24 13:13:22.697673031 -0400
+@@ -1068,7 +1068,7 @@
+ 
+ 	if (li < sizeof(struct esis_header_t) + 2) {
+             printf(" length indicator < min PDU size %d:", li);
+-            while (--length != 0)
++            while (pptr < snapend)
+                 printf("%02X", *pptr++);
+             return;
+ 	}
+@@ -3092,8 +3092,15 @@
+ {
+         u_int16_t calculated_checksum;
+ 
+-        /* do not attempt to verify the checksum if it is zero */
+-        if (!checksum) {
++        /* do not attempt to verify the checksum if it is zero,
++         * if the total length is nonsense,
++         * if the offset is nonsense,
++         * or the base pointer is not sane
++         */
++        if (!checksum
++            || length > snaplen
++            || checksum_offset > snaplen
++            || checksum_offset > length) {
+                 printf("(unverified)");
+         } else {
+                 calculated_checksum = create_osi_cksum(pptr, checksum_offset, length);
diff -Nru tcpdump-4.5.1/debian/patches/60_cve-2015-2155.diff tcpdump-4.5.1/debian/patches/60_cve-2015-2155.diff
--- tcpdump-4.5.1/debian/patches/60_cve-2015-2155.diff	1970-01-01 00:00:00.000000000 +0000
+++ tcpdump-4.5.1/debian/patches/60_cve-2015-2155.diff	2015-04-24 17:05:50.000000000 +0000
@@ -0,0 +1,18 @@
+Description: fix denial of service and possible code execution
+Origin: vendor, backport of patch from Debian 4.6.2-4 package
+
+Index: tcpdump-4.5.1/print-forces.c
+===================================================================
+--- tcpdump-4.5.1.orig/print-forces.c	2015-04-24 13:03:13.644753679 -0400
++++ tcpdump-4.5.1/print-forces.c	2015-04-24 13:03:57.765262423 -0400
+@@ -1217,7 +1217,9 @@
+ 
+ 	}
+ 
+-	rc = ops->print(dp, tll, ops->op_msk, indent + 1);
++        if(ops->print) {
++                rc = ops->print(dp, tll, ops->op_msk, indent + 1);
++        }
+ 	return rc;
+ 
+ trunc:
diff -Nru tcpdump-4.5.1/debian/patches/series tcpdump-4.5.1/debian/patches/series
--- tcpdump-4.5.1/debian/patches/series	2014-12-03 21:36:02.000000000 +0000
+++ tcpdump-4.5.1/debian/patches/series	2015-04-24 17:03:09.000000000 +0000
@@ -9,3 +9,8 @@
 CVE-2014-8768.patch
 CVE-2014-8769.patch
 CVE-2014-9140.patch
+60_cve-2015-0261.diff
+60_cve-2015-2153.diff
+60_cve-2015-2153-fix-regression.diff
+60_cve-2015-2154.diff
+60_cve-2015-2155.diff