diff -u libmikmod-3.1.11/debian/changelog libmikmod-3.1.11/debian/changelog
--- libmikmod-3.1.11/debian/changelog
+++ libmikmod-3.1.11/debian/changelog
@@ -1,3 +1,33 @@
+libmikmod (3.1.11-6.4~lucid~ppa1) lucid; urgency=low
+
+  * no-source-change backports
+
+ -- Gabriel Rota <gabriel.rota@gmail.com>  Wed, 31 Aug 2011 16:34:22 +0200
+
+libmikmod (3.1.11-6.4) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Fixed regression introduced by CVE-2007-6720.patch
+    (Closes: #631009)(LP: #194916)
+
+ -- Giuseppe Iuculano <iuculano@debian.org>  Mon, 01 Aug 2011 11:51:59 +0200
+
+libmikmod (3.1.11-6.3) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Upstream fix for CVE-2009-3995 was incorrect, this is CVE-2010-2546
+    (Closes: #575742)
+
+ -- Moritz Muehlenhoff <jmm@debian.org>  Thu, 29 Jul 2010 21:16:34 -0400
+
+libmikmod (3.1.11-6.2) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * debian/patches/CVE-2009-3995f.patch: fixes buffer overflows in the
+    loaders for Impulse Tracker and Ultratracker files. (Closes: #575742)
+
+ -- Arne Wichmann <aw@linux.de>  Sat, 12 Jun 2010 16:14:44 +0200
+
 libmikmod (3.1.11-6.1) unstable; urgency=high
 
   * Non-maintainer upload.
diff -u libmikmod-3.1.11/debian/patches/CVE-2007-6720.patch libmikmod-3.1.11/debian/patches/CVE-2007-6720.patch
--- libmikmod-3.1.11/debian/patches/CVE-2007-6720.patch
+++ libmikmod-3.1.11/debian/patches/CVE-2007-6720.patch
@@ -1,38 +1,109 @@
 --- libmikmod-3.1.11.orig/playercode/mplayer.c
 +++ libmikmod-3.1.11/playercode/mplayer.c
-@@ -2318,7 +2318,7 @@
+@@ -52,6 +52,8 @@
+    will wait */
+ /*static*/ MODULE *pf = NULL;
+ 
++#define NUMVOICES(mod)	(md_sngchn < (mod)->numvoices ? md_sngchn : (mod)->numvoices)
++
+ #define	HIGH_OCTAVE		2	/* number of above-range octaves */
+ 
+ static	UWORD oldperiods[OCTAVE*2]={
+@@ -248,14 +250,14 @@
+ 	MP_VOICE *a;
+ 	ULONG t,k,tvol,pp;
+ 
+-	for (t=0;t<md_sngchn;t++)
++	for (t=0;t<NUMVOICES(mod);t++)
+ 		if (((mod->voice[t].main.kick==KICK_ABSENT)||
+ 			 (mod->voice[t].main.kick==KICK_ENV))&&
+ 		   Voice_Stopped_internal(t))
+ 			return t;
+ 
+ 	tvol=0xffffffUL;t=-1;a=mod->voice;
+-	for (k=0;k<md_sngchn;k++,a++) {
++	for (k=0;k<NUMVOICES(mod);k++,a++) {
+ 		/* allow us to take over a nonexisting sample */
+ 		if (!a->main.s)
+ 			return k;
+@@ -2249,12 +2251,12 @@
+ 
+ 	switch (dat) {
+ 	case 0x0: /* past note cut */
+-		for (t=0;t<md_sngchn;t++)
++		for (t=0;t<NUMVOICES(mod);t++)
+ 			if (mod->voice[t].master==a)
+ 				mod->voice[t].main.fadevol=0;
+ 		break;
+ 	case 0x1: /* past note off */
+-		for (t=0;t<md_sngchn;t++)
++		for (t=0;t<NUMVOICES(mod);t++)
+ 			if (mod->voice[t].master==a) {
+ 				mod->voice[t].main.keyoff|=KEY_OFF;
+ 				if ((!(mod->voice[t].venv.flg & EF_ON))||
+@@ -2263,7 +2265,7 @@
+ 			}
+ 		break;
+ 	case 0x2: /* past note fade */
+-		for (t=0;t<md_sngchn;t++)
++		for (t=0;t<NUMVOICES(mod);t++)
+ 			if (mod->voice[t].master==a)
+ 				mod->voice[t].main.keyoff|=KEY_FADE;
+ 		break;
+@@ -2318,7 +2320,7 @@
  	SAMPLE *s;
  
  	mod->totalchn=mod->realchn=0;
 -	for (channel=0;channel<md_sngchn;channel++) {
-+	for (channel=0;channel<mod->numchn;channel++) {
++	for (channel=0;channel<NUMVOICES(mod);channel++) {
  		aout=&mod->voice[channel];
  		i=aout->main.i;
  		s=aout->main.s;
-@@ -3086,7 +3086,7 @@
+@@ -2736,7 +2738,7 @@
+ 			if (a->dct!=DCT_OFF) {
+ 				int t;
+ 
+-				for (t=0;t<md_sngchn;t++)
++				for (t=0;t<NUMVOICES(mod);t++)
+ 					if ((!Voice_Stopped_internal(t))&&
+ 					   (mod->voice[t].masterchn==channel)&&
+ 					   (a->main.sample==mod->voice[t].main.sample)) {
+@@ -2978,6 +2980,11 @@
+ 	if (!(mod->voice=(MP_VOICE*)_mm_calloc(md_sngchn,sizeof(MP_VOICE))))
+ 		return 1;
+ 
++	/* mod->numvoices was used during loading to clamp md_sngchn.
++	   After loading it's used to remember how big mod->voice is.
++	*/
++	mod->numvoices = md_sngchn;
++
+ 	Player_Init_internal(mod);
+ 	return 0;
+ }
+@@ -3086,7 +3093,7 @@
  		pf->patbrk=0;
  		pf->vbtick=pf->sngspd;
  
 -		for (t=0;t<md_sngchn;t++) {
-+		for (t=0;t<pf->numchn;t++) {
++		for (t=0;t<NUMVOICES(pf);t++) {
  			Voice_Stop_internal(t);
  			pf->voice[t].main.i=NULL;
  			pf->voice[t].main.s=NULL;
-@@ -3111,7 +3111,7 @@
+@@ -3111,7 +3118,7 @@
  		pf->patbrk=0;
  		pf->vbtick=pf->sngspd;
  
 -		for (t=0;t<md_sngchn;t++) {
-+		for (t=0;t<pf->numchn;t++) {
++		for (t=0;t<NUMVOICES(pf);t++) {
  			Voice_Stop_internal(t);
  			pf->voice[t].main.i=NULL;
  			pf->voice[t].main.s=NULL;
-@@ -3138,7 +3138,7 @@
+@@ -3138,7 +3145,7 @@
  		pf->sngpos=pos;
  		pf->vbtick=pf->sngspd;
  
 -		for (t=0;t<md_sngchn;t++) {
-+		for (t=0;t<pf->numchn;t++) {
++		for (t=0;t<NUMVOICES(pf);t++) {
  			Voice_Stop_internal(t);
  			pf->voice[t].main.i=NULL;
  			pf->voice[t].main.s=NULL;
only in patch2:
unchanged:
--- libmikmod-3.1.11.orig/debian/patches/CVE-2009-3995f.patch
+++ libmikmod-3.1.11/debian/patches/CVE-2009-3995f.patch
@@ -0,0 +1,35 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2009-3995f.dpatch by  <aw@linux.de>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Patch for CVE-2009-3995 and CVE-2009-3996
+
+@DPATCH@
+
+diff -Ndurp libmikmod-3.1.11/loaders/load_it.c libmikmod-3.1.11-fixed/loaders/load_it.c
+--- libmikmod-3.1.11/loaders/load_it.c	2010-05-31 14:10:34.000000000 +0200
++++ libmikmod-3.1.11-fixed/loaders/load_it.c	2010-05-31 14:10:10.000000000 +0200
+@@ -862,6 +862,10 @@ BOOL IT_Load(BOOL curious)
+ #endif
+ 
+ 				IT_ProcessEnvelope(vol);
++				/* fix for CVE-2009-3995 - snatched from SuSe's fix -- AW */
++				if (ih.volpts>= ENVPOINTS)
++					ih.volpts = ENVPOINTS-1;
++
+ 				for(u=0;u<ih.volpts;u++)
+ 					d->volenv[u].val=(ih.volnode[u]<<2);
+ 
+diff -Ndurp libmikmod-3.1.11/loaders/load_ult.c libmikmod-3.1.11-fixed/loaders/load_ult.c
+--- libmikmod-3.1.11/loaders/load_ult.c	2010-05-31 14:10:34.000000000 +0200
++++ libmikmod-3.1.11-fixed/loaders/load_ult.c	2010-05-31 14:10:10.000000000 +0200
+@@ -224,6 +224,9 @@ BOOL ULT_Load(BOOL curious)
+ 	for(u=0;u<of.numchn;u++)
+ 		for(t=0;t<of.numpat;t++)
+ 			of.patterns[(t*of.numchn)+u]=tracks++;
++	/* fix for CVE-2009-3996 - snatched from SuSe's fix -- AW */
++    if (of.numchn>=UF_MAXCHAN)
++		of.numchn=UF_MAXCHAN - 1;
+ 
+ 	/* read pan position table for v1.5 and higher */
+ 	if(mh.id[14]>='3') {
only in patch2:
unchanged:
--- libmikmod-3.1.11.orig/debian/patches/CVE-2010-2546.patch
+++ libmikmod-3.1.11/debian/patches/CVE-2010-2546.patch
@@ -0,0 +1,31 @@
+--- loaders/load_it.c.orig	2010-07-22 16:02:16.000000000 +0200
++++ libmikmod-3.1.11/loaders/load_it.c	2010-07-22 16:07:48.000000000 +0200
+@@ -743,6 +743,8 @@ BOOL IT_Load(BOOL curious)
+ #define IT_LoadEnvelope(name,type) 										\
+ 				ih. name##flg   =_mm_read_UBYTE(modreader);				\
+ 				ih. name##pts   =_mm_read_UBYTE(modreader);				\
++				if (ih. name##pts > ITENVCNT)							\
++					ih. name##pts = ITENVCNT;							\
+ 				ih. name##beg   =_mm_read_UBYTE(modreader);				\
+ 				ih. name##end   =_mm_read_UBYTE(modreader);				\
+ 				ih. name##susbeg=_mm_read_UBYTE(modreader);				\
+@@ -756,6 +758,8 @@ BOOL IT_Load(BOOL curious)
+ #define IT_LoadEnvelope(name,type) 										\
+ 				ih. name/**/flg   =_mm_read_UBYTE(modreader);			\
+ 				ih. name/**/pts   =_mm_read_UBYTE(modreader);			\
++				if (ih. name/**/pts > ITENVCNT)							\
++					ih. name/**/pts = ITENVCNT;							\
+ 				ih. name/**/beg   =_mm_read_UBYTE(modreader);			\
+ 				ih. name/**/end   =_mm_read_UBYTE(modreader);			\
+ 				ih. name/**/susbeg=_mm_read_UBYTE(modreader);			\
+@@ -862,10 +866,6 @@ BOOL IT_Load(BOOL curious)
+ #endif
+ 
+ 				IT_ProcessEnvelope(vol);
+-				/* fix for CVE-2009-3995 - snatched from SuSe's fix -- AW */
+-				if (ih.volpts>= ENVPOINTS)
+-					ih.volpts = ENVPOINTS-1;
+-
+ 				for(u=0;u<ih.volpts;u++)
+ 					d->volenv[u].val=(ih.volnode[u]<<2);
+