Open Radar

 
Summary:
If the environment contains an environment variable with garbage and LSOpenFromURLSpec is called, the calling program crashes.
This is security relevant because in certain cases the environment might be attacker controlled (for example CGI).

Steps to Reproduce:
1. Open a Terminal with /bin/bash as the shell
2. export THIS_IS_GARBAGE=$(echo f210ee5ed81dc98acc0a | xxd -r -p)
3. /usr/bin/open http://apple.com

Expected Results:
Browser opens http://apple.com

Actual Results:
Open crashes with signal 5 (SIGTRAP) and a crash report is generated.

--- SNIP ---
Process:               open [8398]
Path:                  /usr/bin/open
Identifier:            open
Version:               287
Code Type:             X86-64 (Native)
Parent Process:        bash [7775]
Responsible:           Terminal [648]
User ID:               501

Date/Time:             2016-02-17 17:35:15.760 +0000
OS Version:            Mac OS X 10.11.3 (15D21)
Report Version:        11
Anonymous UUID:        E86D0815-0023-40B8-A057-56FC8D1CE33B

Sleep/Wake UUID:       AF9AA046-EAF6-47E9-895A-641929DF0E82

Time Awake Since Boot: 86000 seconds
Time Since Wake:       24000 seconds

System Integrity Protection: enabled

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BREAKPOINT (SIGTRAP)
Exception Codes:       0x0000000000000002, 0x0000000000000000

Application Specific Information:
*** __CFTypeCollectionRetain() called with NULL; likely a collection has been corrupted ***

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.CoreFoundation      	0x00007fff9105fe4e __CFTypeCollectionRetain + 318
1   com.apple.CoreFoundation      	0x00007fff9105faed __CFBasicHashAddValue + 1661
2   com.apple.CoreFoundation      	0x00007fff9105e47d CFDictionarySetValue + 221
--- SNAP ---

Regression:
don't know

Notes:
n/a