I took these patches from the libtiff CVS repo using the information
contained in the respective bug reports:
http://bugzilla.maptools.org/buglist.cgi?product=libtiff

This is my first time using CVS, so please review carefully.

I removed the hunks that looked like this, since most of them did not
apply:

@@ -1,4 +1,4 @@
-/* $Id: tiffcrop.c,v 1.36 2016-07-11 21:26:03 erouault Exp $ */
+/* $Id: tiffcrop.c,v 1.37 2016-07-11 21:38:31 erouault Exp $ */
 
 /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of
  * the image data through additional options listed below

I also had to add a directory level, so ...

diff -u -r1.36 -r1.37
--- tools/tiffcrop.c	11 Jul 2016 21:26:03 -0000	1.36
+++ tools/tiffcrop.c	11 Jul 2016 21:38:31 -0000	1.37

... became ...

diff -u -r1.36 -r1.37
--- libtiff/tools/tiffcrop.c	11 Jul 2016 21:26:03 -0000	1.36
+++ libtiff/tools/tiffcrop.c	11 Jul 2016 21:38:31 -0000	1.37

There are several CVEs in that cluster that libtiff did not provide a
patch for. Instead, they decided to remove the affected component
entirely in the upcoming release. For example
http://bugzilla.maptools.org/show_bug.cgi?id=2567#c1

We could try copying other distros' patches for these, although in some
cases the libtiff maintainer claims that the distro's patch is
incorrect:
http://bugzilla.maptools.org/show_bug.cgi?id=2563#c4