Mark libgig CVE as unfixed in unstable

I could reproduce all issues in unstable. Buster is most likely also affected.
Some CVE cannot be reproduced in Jessie and Stretch because in these versions
the required gigtools (gigmerge, gig2stereo) are not available to confirm the
ASAN reports. However affected code does still exist AFAICS. It may be possible to
trigger the same bug via a different code path.

Upstream confirmed to me via private email that there was no work on CVE-2018-*
issues. I will go into more details by responding to Debian bug #931309.