There is a memory leak in the pngcp.c in libpng 1.6.36. A call to function png_create_info_struct is not paired with a call to png_destroy_info_struct. Upstream Issue: https://github.com/glennrp/libpng/issues/269
Created libpng tracking bugs for this issue: Affects: fedora-all [bug 1667152] Created libpng10 tracking bugs for this issue: Affects: epel-6 [bug 1667157] Affects: fedora-all [bug 1667154] Created libpng12 tracking bugs for this issue: Affects: fedora-all [bug 1667155] Created libpng15 tracking bugs for this issue: Affects: fedora-all [bug 1667156] Created mingw-libpng tracking bugs for this issue: Affects: epel-7 [bug 1667158] Affects: fedora-all [bug 1667153]
This CVE is for contrib/pngcp failing to free a single struct before exiting. This is not a security issue. I expect the discussion on upstream issue tracker will lead to this CVE being rejected.
It's also worth noting that pngcp.c was only shipped with libpng from version 1.6.24 onwards, so older versions did not have this code, let alone build and package it.