diff --git a/0002-coverity-fixes.patch b/0002-coverity-fixes.patch
new file mode 100644
index 0000000..2e3d9dd
--- /dev/null
+++ b/0002-coverity-fixes.patch
@@ -0,0 +1,80 @@
+From 741e8fa0ee62563589870592071188d6391ead38 Mon Sep 17 00:00:00 2001
+From: Than Ngo <than@redhat.com>
+Date: Sun, 21 Mar 2021 18:34:09 +0000
+Subject: [PATCH] coverity fixes
+
+---
+ tilde/tilde.c | 8 ++++----
+ which.c       | 7 ++++---
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/tilde/tilde.c b/tilde/tilde.c
+index 1b76c9f..b393506 100644
+--- a/tilde/tilde.c
++++ b/tilde/tilde.c
+@@ -193,10 +193,10 @@ tilde_expand (string)
+      const char *string;
+ {
+   char *result;
+-  int result_size, result_index;
++  int result_size = 0, result_index = 0;
+ 
+-  result_index = result_size = 0;
+-  if (result = strchr (string, '~'))
++  result = strchr (string, '~');
++  if (result)
+     result = (char *)xmalloc (result_size = (strlen (string) + 16));
+   else
+     result = (char *)xmalloc (result_size = (strlen (string) + 1));
+@@ -270,7 +270,7 @@ isolate_tilde_prefix (fname, lenp)
+   char *ret;
+   int i;
+ 
+-  ret = (char *)xmalloc (strlen (fname));
++  ret = (char *)xmalloc (strlen (fname) + 1);
+ #if defined (__MSDOS__)
+   for (i = 1; fname[i] && fname[i] != '/' && fname[i] != '\\'; i++)
+ #else
+diff --git a/which.c b/which.c
+index 525c0d0..9f93021 100644
+--- a/which.c
++++ b/which.c
+@@ -81,16 +81,16 @@ static int skip_functions = 0, read_functions = 0;
+ 
+ static char *find_command_in_path(const char *name, const char *path_list, int *path_index)
+ {
+-  char *found = NULL, *full_path;
++  char *found = NULL, *full_path = NULL;
+   int status, name_len;
+ 
+   name_len = strlen(name);
++  char *p;
+ 
+   if (!absolute_program(name))
+     absolute_path_given = 0;
+   else
+   {
+-    char *p;
+     absolute_path_given = 1;
+ 
+     if (abs_path)
+@@ -164,6 +164,7 @@ static char *find_command_in_path(const char *name, const char *path_list, int *
+     free(full_path);
+   }
+ 
++  name = NULL; p = NULL; path_list = NULL;
+   return (found);
+ }
+ 
+@@ -545,7 +546,7 @@ int main(int argc, char *argv[])
+   int function_start_type = 0;
+   if (read_alias || read_functions)
+   {
+-    char buf[1024];
++    char buf[1024] = {};
+     int processing_aliases = read_alias;
+ 
+     if (isatty(0))
+-- 
+2.43.0
+
diff --git a/which.spec b/which.spec
index f465913..610c27c 100644
--- a/which.spec
+++ b/which.spec
@@ -1,12 +1,13 @@
 Name:		which
 Version:	2.21
-Release:	16
+Release:	17
 Summary:	Show the full path of commands
 License:	GPLv3
 URL:		https://savannah.gnu.org/projects/which/
 Source0:	http://ftp.gnu.org/gnu/which/%{name}-%{version}.tar.gz
 
 Patch1:  0001-which-fails-for-long-path.patch
+Patch2:  0002-coverity-fixes.patch
 
 BuildRequires:	gcc
 
@@ -42,6 +43,9 @@ rm -f %{buildroot}/%{_datadir}/info/dir
 %{_datadir}/info/%{name}.info.gz
 
 %changelog
+* Thu Nov 21 2024 Deyuan Fan <fandeyuan@kylinos.cn> - 2.21-17
+- fixed coverity issues
+
 * Tue Apr 30 2024 Deyuan Fan <fandeyuan@kylinos.cn> - 2.21-16
 - Type: bugfix
 - ID: NA