Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
Control: tags -1 -pending +confirmed On Mon, 2020-05-04 at 22:02 +0200, Xavier wrote: > Le 04/05/2020 à 18:53, Mattia Rizzolo a écrit : > > Hi, > > > > let me reply before adsb has a chance ;) > > > > On Mon, May 04, 2020 at 02:24:20PM +0200, Xavier wrote: > > > Finally I found a way to fix CVE and keep autopkgtest OK > > > (node-markdown-it-html5-embed). Here is a debdiff for a future > > > point release > > > > This is good, however, > > > > > diff --git a/debian/changelog b/debian/changelog > > > index b985661..64df8db 100644 > > > --- a/debian/changelog > > > +++ b/debian/changelog > > > @@ -1,3 +1,11 @@ > > > +node-handlebars (3:4.1.0-1+deb10u1) buster; urgency=medium > > > + > > > + * Team upload > > > + * Disallow calling "helperMissing" and "blockHelperMissing" > > > directly > > > +(Closes: CVE-2019-19919) > > > + > > > + -- Xavier Guimard Mon, 04 May 2020 14:21:11 > > > +0200 > > > > By now 3:4.1.0-1+deb10u1 is already accepted in p-u, built and all, > > and > > it can't really be removed from there and replaced by a same- > > versined > > pacakge. > > > > Please prepare a +deb10u2 version, and post here a debdiff against > > the > > already uploaded +deb10u1 one. > > Is it good so ? Sorry for the delay. Please feel free to go ahead. Regards, Adam
Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
Le 04/05/2020 à 18:53, Mattia Rizzolo a écrit :
> Hi,
>
> let me reply before adsb has a chance ;)
>
> On Mon, May 04, 2020 at 02:24:20PM +0200, Xavier wrote:
>> Finally I found a way to fix CVE and keep autopkgtest OK
>> (node-markdown-it-html5-embed). Here is a debdiff for a future point release
>
> This is good, however,
>
>> diff --git a/debian/changelog b/debian/changelog
>> index b985661..64df8db 100644
>> --- a/debian/changelog
>> +++ b/debian/changelog
>> @@ -1,3 +1,11 @@
>> +node-handlebars (3:4.1.0-1+deb10u1) buster; urgency=medium
>> +
>> + * Team upload
>> + * Disallow calling "helperMissing" and "blockHelperMissing" directly
>> +(Closes: CVE-2019-19919)
>> +
>> + -- Xavier Guimard Mon, 04 May 2020 14:21:11 +0200
>
> By now 3:4.1.0-1+deb10u1 is already accepted in p-u, built and all, and
> it can't really be removed from there and replaced by a same-versined
> pacakge.
>
> Please prepare a +deb10u2 version, and post here a debdiff against the
> already uploaded +deb10u1 one.
Is it good so ?
diff --git a/debian/changelog b/debian/changelog
index 95811b9..e49c409 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-handlebars (3:4.1.0-1+deb10u2) buster; urgency=medium
+
+ * Fix regression introduced in 3:4.1.0-1+deb10u1
+
+ -- Xavier Guimard Mon, 04 May 2020 22:01:16 +0200
+
node-handlebars (3:4.1.0-1+deb10u1) buster; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2019-19919.patch
b/debian/patches/CVE-2019-19919.patch
index f63f106..d34e77a 100644
--- a/debian/patches/CVE-2019-19919.patch
+++ b/debian/patches/CVE-2019-19919.patch
@@ -75,6 +75,21 @@ Last-Update: 2019-12-30
);
}
+--- a/lib/handlebars/helpers.js
b/lib/handlebars/helpers.js
+@@ -15,3 +15,12 @@
+ registerLookup(instance);
+ registerWith(instance);
+ }
++
++export function moveHelperToHooks(instance, helperName, keepHelper) {
++ if (instance.helpers[helperName]) {
++instance.hooks[helperName] = instance.helpers[helperName];
++if (!keepHelper) {
++ delete instance.helpers[helperName];
++}
++ }
++}
--- a/lib/handlebars/runtime.js
+++ b/lib/handlebars/runtime.js
@@ -1,6 +1,7 @@
Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
Hi, let me reply before adsb has a chance ;) On Mon, May 04, 2020 at 02:24:20PM +0200, Xavier wrote: > Finally I found a way to fix CVE and keep autopkgtest OK > (node-markdown-it-html5-embed). Here is a debdiff for a future point release This is good, however, > diff --git a/debian/changelog b/debian/changelog > index b985661..64df8db 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,11 @@ > +node-handlebars (3:4.1.0-1+deb10u1) buster; urgency=medium > + > + * Team upload > + * Disallow calling "helperMissing" and "blockHelperMissing" directly > +(Closes: CVE-2019-19919) > + > + -- Xavier Guimard Mon, 04 May 2020 14:21:11 +0200 By now 3:4.1.0-1+deb10u1 is already accepted in p-u, built and all, and it can't really be removed from there and replaced by a same-versined pacakge. Please prepare a +deb10u2 version, and post here a debdiff against the already uploaded +deb10u1 one. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. More about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `- signature.asc Description: PGP signature
Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
Le 04/05/2020 à 11:54, Adam D. Barratt a écrit :
> On Mon, 2020-05-04 at 11:36 +0200, Xavier wrote:
>> Le 02/05/2020 à 11:58, Adam D. Barratt a écrit :
>>> On Sat, 2020-04-25 at 21:30 +0200, Paul Gevers wrote:
Hi Xavier,
On Sat, 8 Feb 2020 08:23:25 +0100 Xavier wrote:
> Le 07/02/2020 à 20:16, Adam D. Barratt a écrit :
>> On Sat, 2020-01-25 at 20:40 +, Adam D. Barratt wrote:
>> This apparently causes regressions in the autopkgtests of
>> node-
>> markdown-it-html5-embed, which you also most recently
>> uploaded -
>> see
>> https://ci.debian.net/user/britney/jobs?package=node-markdown-it-html5-embed&suite[]=stable&arch[]=amd64
>>
>> Is this enough of an issue to not include the node-handlebars
>> update?
>>
>> Regards,
>>
>> Adam
>
> Hi,
>
> then please defer node-handlebars update until I understand
> what
> happens.
Did you figure this out in the mean time? The next point release
is
going to happen on 9 May 2020, so it would be good to know if the
package can be included.
>>>
>>> Ping?
>>>
>>> Regards,
>>>
>>> Adam
>>
>> Hi,
>>
>> Sorry for the delay.
>>
>> handlebar patch is based on some other commits, its test succeeds but
>> renders it unusable as shown by node-markdown-it-html5-embed
>> regression.
>> I've to pick some other commits...
>
> Thanks for getting back to us.
>
> The window for getting fixes into 10.4 closed yesterday, so I guess
> we'll be excluding node-handlebars again?
>
> Regards,
>
> Adam
Finally I found a way to fix CVE and keep autopkgtest OK
(node-markdown-it-html5-embed). Here is a debdiff for a future point release
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index b985661..64df8db 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-handlebars (3:4.1.0-1+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Disallow calling "helperMissing" and "blockHelperMissing" directly
+(Closes: CVE-2019-19919)
+
+ -- Xavier Guimard Mon, 04 May 2020 14:21:11 +0200
+
node-handlebars (3:4.1.0-1) unstable; urgency=medium
* New upstream version 4.1.0 (Closes: #923042)
diff --git a/debian/patches/CVE-2019-19919.patch
b/debian/patches/CVE-2019-19919.patch
new file mode 100644
index 000..d34e77a
--- /dev/null
+++ b/debian/patches/CVE-2019-19919.patch
@@ -0,0 +1,228 @@
+Description: Disallow calling "helperMissing" and "blockHelperMissing" directly
+ Fix for CVE-2019-19919
+Author: Nils Knappmeier
+Origin: upstream, https://github.com/wycats/handlebars.js/commit/2078c72
+Bug: https://github.com/wycats/handlebars.js/issues/1558
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard
+Last-Update: 2019-12-30
+
+--- a/lib/handlebars/compiler/javascript-compiler.js
b/lib/handlebars/compiler/javascript-compiler.js
+@@ -311,7 +311,7 @@
+ // replace it on the stack with the result of properly
+ // invoking blockHelperMissing.
+ blockValue: function(name) {
+-let blockHelperMissing = this.aliasable('helpers.blockHelperMissing'),
++let blockHelperMissing =
this.aliasable('container.hooks.blockHelperMissing'),
+ params = [this.contextName(0)];
+ this.setupHelperArgs(name, 0, params);
+
+@@ -329,7 +329,7 @@
+ // On stack, after, if lastHelper: value
+ ambiguousBlockValue: function() {
+ // We're being a bit cheeky and reusing the options value from the prior
exec
+-let blockHelperMissing = this.aliasable('helpers.blockHelperMissing'),
++let blockHelperMissing =
this.aliasable('container.hooks.blockHelperMissing'),
+ params = [this.contextName(0)];
+ this.setupHelperArgs('', 0, params, true);
+
+@@ -622,18 +622,31 @@
+ // If the helper is not found, `helperMissing` is called.
+ invokeHelper: function(paramSize, name, isSimple) {
+ let nonHelper = this.popStack(),
+-helper = this.setupHelper(paramSize, name),
+-simple = isSimple ? [helper.name, ' || '] : '';
++helper = this.setupHelper(paramSize, name);
+
+-let lookup = ['('].concat(simple, nonHelper);
++let possibleFunctionCalls = [];
++
++if (isSimple) { // direct call to helper
++ possibleFunctionCalls.push(helper.name);
++}
++// call a function from the input object
++possibleFunctionCalls.push(nonHelper);
+ if (!this.options.strict) {
+- lookup.push(' || ', this.aliasable('helpers.helperMissing'));
++
possibleFunctionCalls.push(this.aliasable('container.hooks.helperMissing'));
+ }
+-lookup.push(')');
+-
+-this.push(this.source.functionCall(lookup, 'call', helper.callParams));
++let functionLookupCode = ['(',
this.itemsSeparatedBy(possibleFunctionCalls, '||'), ')'];
++let functionCall = this.source.functionCall(functionLookupCode, 'call',
helper.callParams);
++this.push(functionCall);
+ },
+
++ itemsSeparatedBy: function(items, separator) {
++let result = [];
++result.push(items[0]);
++f
Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
Le 04/05/2020 à 11:54, Adam D. Barratt a écrit : > On Mon, 2020-05-04 at 11:36 +0200, Xavier wrote: >> Le 02/05/2020 à 11:58, Adam D. Barratt a écrit : >>> On Sat, 2020-04-25 at 21:30 +0200, Paul Gevers wrote: Hi Xavier, On Sat, 8 Feb 2020 08:23:25 +0100 Xavier wrote: > Le 07/02/2020 à 20:16, Adam D. Barratt a écrit : >> On Sat, 2020-01-25 at 20:40 +, Adam D. Barratt wrote: >> This apparently causes regressions in the autopkgtests of >> node- >> markdown-it-html5-embed, which you also most recently >> uploaded - >> see >> https://ci.debian.net/user/britney/jobs?package=node-markdown-it-html5-embed&suite[]=stable&arch[]=amd64 >> >> Is this enough of an issue to not include the node-handlebars >> update? >> >> Regards, >> >> Adam > > Hi, > > then please defer node-handlebars update until I understand > what > happens. Did you figure this out in the mean time? The next point release is going to happen on 9 May 2020, so it would be good to know if the package can be included. >>> >>> Ping? >>> >>> Regards, >>> >>> Adam >> >> Hi, >> >> Sorry for the delay. >> >> handlebar patch is based on some other commits, its test succeeds but >> renders it unusable as shown by node-markdown-it-html5-embed >> regression. >> I've to pick some other commits... > > Thanks for getting back to us. > > The window for getting fixes into 10.4 closed yesterday, so I guess > we'll be excluding node-handlebars again? Yes, I've not enough time to fix this Cheers, Xavier
Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
On Mon, 2020-05-04 at 11:36 +0200, Xavier wrote: > Le 02/05/2020 à 11:58, Adam D. Barratt a écrit : > > On Sat, 2020-04-25 at 21:30 +0200, Paul Gevers wrote: > > > Hi Xavier, > > > > > > On Sat, 8 Feb 2020 08:23:25 +0100 Xavier wrote: > > > > Le 07/02/2020 à 20:16, Adam D. Barratt a écrit : > > > > > On Sat, 2020-01-25 at 20:40 +, Adam D. Barratt wrote: > > > > > This apparently causes regressions in the autopkgtests of > > > > > node- > > > > > markdown-it-html5-embed, which you also most recently > > > > > uploaded - > > > > > see > > > > > https://ci.debian.net/user/britney/jobs?package=node-markdown-it-html5-embed&suite[]=stable&arch[]=amd64 > > > > > > > > > > Is this enough of an issue to not include the node-handlebars > > > > > update? > > > > > > > > > > Regards, > > > > > > > > > > Adam > > > > > > > > Hi, > > > > > > > > then please defer node-handlebars update until I understand > > > > what > > > > happens. > > > > > > Did you figure this out in the mean time? The next point release > > > is > > > going to happen on 9 May 2020, so it would be good to know if the > > > package can be included. > > > > Ping? > > > > Regards, > > > > Adam > > Hi, > > Sorry for the delay. > > handlebar patch is based on some other commits, its test succeeds but > renders it unusable as shown by node-markdown-it-html5-embed > regression. > I've to pick some other commits... Thanks for getting back to us. The window for getting fixes into 10.4 closed yesterday, so I guess we'll be excluding node-handlebars again? Regards, Adam
Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
Le 02/05/2020 à 11:58, Adam D. Barratt a écrit : > On Sat, 2020-04-25 at 21:30 +0200, Paul Gevers wrote: >> Hi Xavier, >> >> On Sat, 8 Feb 2020 08:23:25 +0100 Xavier wrote: >>> Le 07/02/2020 à 20:16, Adam D. Barratt a écrit : On Sat, 2020-01-25 at 20:40 +, Adam D. Barratt wrote: This apparently causes regressions in the autopkgtests of node- markdown-it-html5-embed, which you also most recently uploaded - see https://ci.debian.net/user/britney/jobs?package=node-markdown-it-html5-embed&suite[]=stable&arch[]=amd64 Is this enough of an issue to not include the node-handlebars update? Regards, Adam >>> >>> Hi, >>> >>> then please defer node-handlebars update until I understand what >>> happens. >> >> Did you figure this out in the mean time? The next point release is >> going to happen on 9 May 2020, so it would be good to know if the >> package can be included. > > Ping? > > Regards, > > Adam Hi, Sorry for the delay. handlebar patch is based on some other commits, its test succeeds but renders it unusable as shown by node-markdown-it-html5-embed regression. I've to pick some other commits...
Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
On Sat, 2020-04-25 at 21:30 +0200, Paul Gevers wrote: > Hi Xavier, > > On Sat, 8 Feb 2020 08:23:25 +0100 Xavier wrote: > > Le 07/02/2020 à 20:16, Adam D. Barratt a écrit : > > > On Sat, 2020-01-25 at 20:40 +, Adam D. Barratt wrote: > > > This apparently causes regressions in the autopkgtests of node- > > > markdown-it-html5-embed, which you also most recently uploaded - > > > see > > > https://ci.debian.net/user/britney/jobs?package=node-markdown-it-html5-embed&suite[]=stable&arch[]=amd64 > > > > > > Is this enough of an issue to not include the node-handlebars > > > update? > > > > > > Regards, > > > > > > Adam > > > > Hi, > > > > then please defer node-handlebars update until I understand what > > happens. > > Did you figure this out in the mean time? The next point release is > going to happen on 9 May 2020, so it would be good to know if the > package can be included. Ping? Regards, Adam
Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
Hi Xavier, On Sat, 8 Feb 2020 08:23:25 +0100 Xavier wrote: > Le 07/02/2020 à 20:16, Adam D. Barratt a écrit : > > On Sat, 2020-01-25 at 20:40 +, Adam D. Barratt wrote: > > This apparently causes regressions in the autopkgtests of node- > > markdown-it-html5-embed, which you also most recently uploaded - see > > https://ci.debian.net/user/britney/jobs?package=node-markdown-it-html5-embed&suite[]=stable&arch[]=amd64 > > > > Is this enough of an issue to not include the node-handlebars update? > > > > Regards, > > > > Adam > > Hi, > > then please defer node-handlebars update until I understand what happens. Did you figure this out in the mean time? The next point release is going to happen on 9 May 2020, so it would be good to know if the package can be included. Paul
Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
Le 07/02/2020 à 20:16, Adam D. Barratt a écrit : > On Sat, 2020-01-25 at 20:40 +, Adam D. Barratt wrote: >> Control: tags -1 + confirmed >> >> On Mon, 2019-12-30 at 07:51 +0100, Xavier Guimard wrote: >>> node-handlebars is vulnearable to prototype pollution (CVE-2019- >>> 19919). >>> >> >> Please go ahead. > > This apparently causes regressions in the autopkgtests of node- > markdown-it-html5-embed, which you also most recently uploaded - see > https://ci.debian.net/user/britney/jobs?package=node-markdown-it-html5-embed&suite[]=stable&arch[]=amd64 > > Is this enough of an issue to not include the node-handlebars update? > > Regards, > > Adam Hi, then please defer node-handlebars update until I understand what happens. Cheers, Xavier
Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
On Sat, 2020-01-25 at 20:40 +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Mon, 2019-12-30 at 07:51 +0100, Xavier Guimard wrote: > > node-handlebars is vulnearable to prototype pollution (CVE-2019- > > 19919). > > > > Please go ahead. This apparently causes regressions in the autopkgtests of node- markdown-it-html5-embed, which you also most recently uploaded - see https://ci.debian.net/user/britney/jobs?package=node-markdown-it-html5-embed&suite[]=stable&arch[]=amd64 Is this enough of an issue to not include the node-handlebars update? Regards, Adam
Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
Control: tags -1 + confirmed On Mon, 2019-12-30 at 07:51 +0100, Xavier Guimard wrote: > node-handlebars is vulnearable to prototype pollution (CVE-2019- > 19919). > Please go ahead. Regards, Adam
Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
Hi,
node-handlebars is vulnearable to prototype pollution (CVE-2019-19919).
This patch is exactly the one of upstream.
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index b985661..95811b9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-handlebars (3:4.1.0-1+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Disallow calling "helperMissing" and "blockHelperMissing" directly
+(Closes: CVE-2019-19919)
+
+ -- Xavier Guimard Mon, 30 Dec 2019 07:46:39 +0100
+
node-handlebars (3:4.1.0-1) unstable; urgency=medium
* New upstream version 4.1.0 (Closes: #923042)
diff --git a/debian/patches/CVE-2019-19919.patch
b/debian/patches/CVE-2019-19919.patch
new file mode 100644
index 000..f63f106
--- /dev/null
+++ b/debian/patches/CVE-2019-19919.patch
@@ -0,0 +1,213 @@
+Description: Disallow calling "helperMissing" and "blockHelperMissing" directly
+ Fix for CVE-2019-19919
+Author: Nils Knappmeier
+Origin: upstream, https://github.com/wycats/handlebars.js/commit/2078c72
+Bug: https://github.com/wycats/handlebars.js/issues/1558
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard
+Last-Update: 2019-12-30
+
+--- a/lib/handlebars/compiler/javascript-compiler.js
b/lib/handlebars/compiler/javascript-compiler.js
+@@ -311,7 +311,7 @@
+ // replace it on the stack with the result of properly
+ // invoking blockHelperMissing.
+ blockValue: function(name) {
+-let blockHelperMissing = this.aliasable('helpers.blockHelperMissing'),
++let blockHelperMissing =
this.aliasable('container.hooks.blockHelperMissing'),
+ params = [this.contextName(0)];
+ this.setupHelperArgs(name, 0, params);
+
+@@ -329,7 +329,7 @@
+ // On stack, after, if lastHelper: value
+ ambiguousBlockValue: function() {
+ // We're being a bit cheeky and reusing the options value from the prior
exec
+-let blockHelperMissing = this.aliasable('helpers.blockHelperMissing'),
++let blockHelperMissing =
this.aliasable('container.hooks.blockHelperMissing'),
+ params = [this.contextName(0)];
+ this.setupHelperArgs('', 0, params, true);
+
+@@ -622,18 +622,31 @@
+ // If the helper is not found, `helperMissing` is called.
+ invokeHelper: function(paramSize, name, isSimple) {
+ let nonHelper = this.popStack(),
+-helper = this.setupHelper(paramSize, name),
+-simple = isSimple ? [helper.name, ' || '] : '';
++helper = this.setupHelper(paramSize, name);
+
+-let lookup = ['('].concat(simple, nonHelper);
++let possibleFunctionCalls = [];
++
++if (isSimple) { // direct call to helper
++ possibleFunctionCalls.push(helper.name);
++}
++// call a function from the input object
++possibleFunctionCalls.push(nonHelper);
+ if (!this.options.strict) {
+- lookup.push(' || ', this.aliasable('helpers.helperMissing'));
++
possibleFunctionCalls.push(this.aliasable('container.hooks.helperMissing'));
+ }
+-lookup.push(')');
+-
+-this.push(this.source.functionCall(lookup, 'call', helper.callParams));
++let functionLookupCode = ['(',
this.itemsSeparatedBy(possibleFunctionCalls, '||'), ')'];
++let functionCall = this.source.functionCall(functionLookupCode, 'call',
helper.callParams);
++this.push(functionCall);
+ },
+
++ itemsSeparatedBy: function(items, separator) {
++let result = [];
++result.push(items[0]);
++for (let i = 1; i < items.length; i++) {
++ result.push(separator, items[i]);
++}
++return result;
++ },
+ // [invokeKnownHelper]
+ //
+ // On stack, before: hash, inverse, program, params..., ...
+@@ -673,7 +686,7 @@
+ lookup[0] = '(helper = ';
+ lookup.push(
+ ' != null ? helper : ',
+-this.aliasable('helpers.helperMissing')
++this.aliasable('container.hooks.helperMissing')
+ );
+ }
+
+--- a/lib/handlebars/runtime.js
b/lib/handlebars/runtime.js
+@@ -1,6 +1,7 @@
+ import * as Utils from './utils';
+ import Exception from './exception';
+-import { COMPILER_REVISION, REVISION_CHANGES, createFrame } from './base';
++import {COMPILER_REVISION, createFrame, REVISION_CHANGES} from './base';
++import {moveHelperToHooks} from './helpers';
+
+ export function checkRevision(compilerInfo) {
+ const compilerRevision = compilerInfo && compilerInfo[0] || 1,
+@@ -44,11 +45,14 @@
+ }
+
+ partial = env.VM.resolvePartial.call(this, partial, context, options);
+-let result = env.VM.invokePartial.call(this, partial, context, options);
++
++let optionsWithHooks = Utils.extend({}, options, {hooks: this.hooks});
++
++let result = env.VM.invokePartial.call(this, partial, context,
optionsWithHooks);
+
+ if (result == null && env.compile) {
+ options.partials[options.name] = env.compile(partial,
templateSpec.compilerOptions, env);
+- result = options.parti
