diff --git a/0009-curl-7.61.1-CVE-2018-16890.patch b/0009-curl-7.61.1-CVE-2018-16890.patch
new file mode 100644
index 0000000..0a15ade
--- /dev/null
+++ b/0009-curl-7.61.1-CVE-2018-16890.patch
@@ -0,0 +1,36 @@
+From 81c0e81531623251a0e78f7779c049f530abe733 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 2 Jan 2019 20:33:08 +0100
+Subject: [PATCH] NTLM: fix size check condition for type2 received data
+
+Bug: https://curl.haxx.se/docs/CVE-2018-16890.html
+Reported-by: Wenxiang Qian
+CVE-2018-16890
+
+Upstream-commit: b780b30d1377adb10bbe774835f49e9b237fb9bb
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vauth/ntlm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
+index cdb8d8f..b614cda 100644
+--- a/lib/vauth/ntlm.c
++++ b/lib/vauth/ntlm.c
+@@ -182,10 +182,11 @@ static CURLcode ntlm_decode_type2_target(struct Curl_easy *data,
+     target_info_len = Curl_read16_le(&buffer[40]);
+     target_info_offset = Curl_read32_le(&buffer[44]);
+     if(target_info_len > 0) {
+-      if(((target_info_offset + target_info_len) > size) ||
++      if((target_info_offset >= size) ||
++         ((target_info_offset + target_info_len) > size) ||
+          (target_info_offset < 48)) {
+         infof(data, "NTLM handshake failure (bad type-2 message). "
+-                    "Target Info Offset Len is set incorrect by the peer\n");
++              "Target Info Offset Len is set incorrect by the peer\n");
+         return CURLE_BAD_CONTENT_ENCODING;
+       }
+ 
+-- 
+2.17.2
+
diff --git a/curl.spec b/curl.spec
index a2fe88b..4d895d9 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.61.1
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
 
@@ -31,6 +31,9 @@ Patch7:   0007-curl-7.63.0-JO-preserve-local-file.patch
 # xattr: strip credentials from any URL that is stored (CVE-2018-20483)
 Patch8:   0008-curl-7.61.1-CVE-2018-20483.patch
 
+# fix NTLM type-2 out-of-bounds buffer read (CVE-2018-16890)
+Patch9:   0009-curl-7.61.1-CVE-2018-16890.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -198,6 +201,7 @@ git apply %{PATCH4}
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -364,6 +368,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
+* Wed Feb 06 2019 Kamil Dudka <kdudka@redhat.com> - 7.61.1-8
+- fix NTLM type-2 out-of-bounds buffer read (CVE-2018-16890)
+
 * Mon Jan 21 2019 Kamil Dudka <kdudka@redhat.com> - 7.61.1-7
 - xattr: strip credentials from any URL that is stored (CVE-2018-20483)