Fedora has issued an advisory on December 23:
Mageia 7 is also affected.
cauldron does not seems to be affected:
"pngcheck versions 2.4.0 and earlier have a number of buffer-overrun bugs, most (but not all) of which are related to the -f option ("force continued parsing after major errors"). As such, the option has been removed altogether in version 3.0.0 (which is the reason for the major-version bump), released on 12 December 2020. All known vulnerabilities are fixed in this version, but the code is pretty crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk. "
new version in mga7:
Updated pngcheck package fixes security vulnerabilities:
Multiple buffer overflow flaws were found in pngcheck 2.4.0 and older
Updated packages in core/updates_testing:
Ran pngcheck without arguments on a collection of 80 PNG images, most of which passed. There were a few with errors, all of this sort:
Tatiana.png illegal (unless recently approved) unknown, public chunk eXIf
Updated the package.
Ran the previous test:
$ pngcheck *.png
OK: audio.png (48x48, 32-bit RGB+alpha, non-interlaced, 53.7%).
OK: bg.png (512x400, 32-bit RGB+alpha, non-interlaced, 83.8%).
OK: bugz.png (566x357, 24-bit RGB, non-interlaced, 94.4%).
OK: xa4.png (512x512, 8-bit grayscale, non-interlaced, 38.9%).
No errors were detected in 80 of the 80 files tested.
$ pngcheck -p OrphanBlack.png
File: OrphanBlack.png (959909 bytes)
OK: OrphanBlack.png (1080x761, 24-bit RGB, non-interlaced, 61.1%).
$ pngcheck -t loch.png
File: loch.png (3259663 bytes)
OK: loch.png (2000x1500, 24-bit RGB, non-interlaced, 63.8%).
Validating. Advisory in Comment 3.
Advisory pushed to SVN.
An update for this issue has been pushed to the Mageia Updates repository.
This is CVE-2020-35511:
pngcheck new security issue rhbz#1902806 =>
pngcheck new security issue rhbz#1902806 (CVE-2020-35511)