diff --git a/0010-curl-7.59.0-CVE-2018-16842.patch b/0010-curl-7.59.0-CVE-2018-16842.patch
new file mode 100644
index 0000000..6903ad6
--- /dev/null
+++ b/0010-curl-7.59.0-CVE-2018-16842.patch
@@ -0,0 +1,78 @@
+From 27d6c92acdac671ddf8f77f72956b2181561f774 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 28 Oct 2018 01:33:23 +0200
+Subject: [PATCH 1/2] voutf: fix bad arethmetic when outputting warnings to
+ stderr
+
+CVE-2018-16842
+Reported-by: Brian Carpenter
+Bug: https://curl.haxx.se/docs/CVE-2018-16842.html
+
+Upstream-commit: d530e92f59ae9bb2d47066c3c460b25d2ffeb211
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/tool_msgs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tool_msgs.c b/src/tool_msgs.c
+index 9cce806..05bec39 100644
+--- a/src/tool_msgs.c
++++ b/src/tool_msgs.c
+@@ -67,7 +67,7 @@ static void voutf(struct GlobalConfig *config,
+         (void)fwrite(ptr, cut + 1, 1, config->errors);
+         fputs("\n", config->errors);
+         ptr += cut + 1; /* skip the space too */
+-        len -= cut;
++        len -= cut + 1;
+       }
+       else {
+         fputs(ptr, config->errors);
+-- 
+2.17.2
+
+
+From 23f8c641b02e6c302d0e8cc5a5ee225a33b01f28 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 28 Oct 2018 10:43:57 +0100
+Subject: [PATCH 2/2] test2080: verify the fix for CVE-2018-16842
+
+Upstream-commit: 350306e4726b71b5b386fc30e3fecc039a807157
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc |   3 ++-
+ tests/data/test2080     | Bin 0 -> 20659 bytes
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test2080
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index e045748..aa5fff0 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -194,4 +194,5 @@ test2048 test2049 test2050 test2051 test2052 test2053 test2054 test2055 \
+ test2056 test2057 test2058 test2059 test2060 test2061 test2062 test2063 \
+ test2064 test2065 test2066 test2067 test2068 test2069 \
+ \
+-test2070 test2071 test2072 test2073
++test2070 test2071 test2072 test2073 \
++test2080
+diff --git a/tests/data/test2080 b/tests/data/test2080
+new file mode 100644
+index 0000000000000000000000000000000000000000..47e376ecb5d7879c0a98e392bff48ccc52e9db0a
+GIT binary patch
+literal 20659
+zcmeI)Pj3@35QkyT{uI*`iBshYE(n>u@JB+F3kdG+t~asjwJY0gl}``eO+)FONU8ef
+zl6Ca+%<OZ|nCeRHZE>A4K8~q<UAgUD%0ubY=PwtZRG;GL*UIRJ-;Lfy)u}p_A1>dz
+zd{+G6l*#ToY+DU||F9%J1n*+KPxQ;7MapuoQ!&MMQSXmpqMh0_yS6g=;N;HNjilBk
+zY$c?)mULZxib{;$g~jw~nrs|8b@sJI)_QmS_4(WLrNld}2Y0LEO$e>m->_NA&o$n!
+z9^YDZ>cvMs2q1s}0tg_000PG)@a?$9VHyMwKmY**5I_I{1Q0m1z~!MEP#*yV5I_I{
+z1Q0*~0R#|0009ILKmY**4ldvh-hl=PAb<b@2q1s}0tg`Rgaqum{m<+P&C93=Ab<b@
+z2q1s}0tg_0z|jf3Ji3V(2mu5TK;StGoIK~3=iL!N0D=D{@VjlsoA=?(>-+Xw`j-8D
+zzg+g?Rt8(G*s;1Sb>n1S94H%G<kGn)tFlRTrA%AW*RoyP3pi(fe!mc3WU^sQd2)l4
+jB)+~1L0rx$OS-AbERTH}TH`mZ^*=|W_vMU!*i-li)g+9V
+
+literal 0
+HcmV?d00001
+
+-- 
+2.17.2
+
diff --git a/curl.spec b/curl.spec
index f031f2e..43e035e 100644
--- a/curl.spec
+++ b/curl.spec
@@ -32,6 +32,11 @@ Patch8:   0008-curl-7.59.0-CVE-2018-14618.patch
 # test320: update expected output for gnutls-3.6.4
 Patch9:   0009-curl-7.59.0-test320-gnutls.patch
 
+# fix bad arethmetic when outputting warnings to stderr (CVE-2018-16842)
+Patch10:  0010-curl-7.59.0-CVE-2018-16842.patch
+# we need `git apply` to apply this patch
+BuildRequires: git
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -191,6 +196,7 @@ be installed.
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+git apply %{PATCH10}
 
 # Fedora patches
 %patch101 -p1
@@ -338,6 +344,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 
 %changelog
 * Thu Nov 01 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-8
+- fix bad arethmetic when outputting warnings to stderr (CVE-2018-16842)
 - test320: update expected output for gnutls-3.6.4
 
 * Wed Sep 05 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-7