On Fri, Jul 07, 2017 at 06:31:36AM +0800, Alex Vong wrote:
> * gnu/packages/patches/libtiff-CVE-2017-9936.patch,
>   gnu/packages/patches/libtiff-CVE-2017-10688.patch: New files.
> * gnu/packages/image.scm (libtiff-4.0.8)[source]: Add patches.
> * gnu/local.mk (dist_patch_DATA): Add them.

> +Patch lifted from upstream source repository (the changes to 'ChangeLog'
> +don't apply to the libtiff 4.0.8 release tarball):
> +
> +https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1

This is actually not the upstream source repository. It's a 3rd party
unofficial mirror.

To the chagrin of young packagers everywhere, libtiff is still using
CVS. Unless somebody beats me to it, I'll extract the patches from their
CVS repo later tonight.