The bubblewrap sandbox of WebKitGTK and WPE WebKit, prior to 2.28.3, failed to properly block access to CLONE_NEWUSER and the TIOCSTI ioctl. CLONE_NEWUSER could potentially be used to confuse xdg- desktop-portal, which allows access outside the sandbox. TIOCSTI can be used to directly execute commands outside the sandbox by writing to the controlling terminal’s input buffer, similar to CVE-2017-5226. Versions affected: WebKitGTK before 2.28.3 and WPE WebKit before 2.28.3.
External References: https://webkitgtk.org/security/WSA-2020-0006.html
Note that RHEL 7 and RHEL 8 are both unaffected (because WebKit is not yet sandboxed in RHEL).
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13753
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2025:10364 https://access.redhat.com/errata/RHSA-2025:10364