tiff: version bump to address open CVEs

- Bumps version to 4.0.9. Otherwise about two dozen packages would need
  to be backported. There were no ABI/API changes between 4.0.3 and
  4.0.9, so this is OK.
- Adds a patch from Jow that addresses a macro issue (already in
  master/lede-17.01)
- Adds patches copied from Debian for CVE-2017-18013 and CVE-2017-9935
  on top.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>

libs/tiff/Makefile

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2006-2014 OpenWrt.org
+# Copyright (C) 2006-2018 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=tiff
-PKG_VERSION:=4.0.3
-PKG_RELEASE:=4
+PKG_VERSION:=4.0.9
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://download.osgeo.org/libtiff
-PKG_MD5SUM:=051c1068e6a0627f461948c365290410
+PKG_MD5SUM:=54bad211279cc93eb4fca31ba9bfdc79
 
 PKG_FIXUP:=autoreconf
 PKG_REMOVE_FILES:=autogen.sh aclocal.m4
@@ -31,7 +31,7 @@ include $(INCLUDE_DIR)/package.mk
 define Package/tiff/Default
   TITLE:=TIFF
   URL:=http://www.remotesensing.org/libtiff/
-  MAINTAINER:=Jiri Slachta <slachta@cesnet.cz>
+  MAINTAINER:=Jiri Slachta <jiri@slachta.eu>
 endef
 
 define Package/libtiff