diff --git a/rpm-4.16.1.3-imp-covscan-fixes.patch b/rpm-4.16.1.3-imp-covscan-fixes.patch
new file mode 100644
index 0000000..19d8647
--- /dev/null
+++ b/rpm-4.16.1.3-imp-covscan-fixes.patch
@@ -0,0 +1,258 @@
+commit c7d7c5acd0c14d0450016887cba1d86483086794
+Author: Michal Domonkos <mdomonko@redhat.com>
+Date:   Mon Jun 21 10:05:10 2021 +0200
+
+    Add quoting to literal curly brackets
+    
+    These curly brackets are already treated as literals by the shell, so
+    let's make that explicit for clarity, and silence a ShellCheck warning
+    at the same time.
+    
+    More info: https://github.com/koalaman/shellcheck/wiki/SC1083
+    
+    Found by ShellCheck.
+
+    Adjusted for 4.16.1.3
+
+diff -up rpm-4.16.1.3/scripts/check-rpaths-worker.orig rpm-4.16.1.3/scripts/check-rpaths-worker
+--- rpm-4.16.1.3/scripts/check-rpaths-worker.orig	2021-06-29 15:34:31.671003589 +0200
++++ rpm-4.16.1.3/scripts/check-rpaths-worker	2021-06-29 15:34:51.993414093 +0200
+@@ -120,13 +120,13 @@ for i; do
+ 	        (/lib64/*|/usr/lib64/*|/usr/X11R6/lib64/*|/usr/local/lib64/*)
+ 		    badness=0;;
+ 
+-		(\$ORIGIN|\${ORIGINX}|\$ORIGIN/*|\${ORIGINX}/*)
++		(\$ORIGIN|\$\{ORIGINX\}|\$ORIGIN/*|\$\{ORIGINX\}/*)
+ 		    test $allow_ORIGIN -eq 0 && badness=8 || {
+ 			badness=0
+ 			new_allow_ORIGIN=1
+ 		    }
+ 		    ;;
+-		(/*\$PLATFORM*|/*\${PLATFORM}*|/*\$LIB*|/*\${LIB}*)
++		(/*\$PLATFORM*|/*\$\{PLATFORM\}*|/*\$LIB*|/*\$\{LIB\}*)
+ 		    badness=0;;
+ 	    	
+ 	        (/lib|/usr/lib|/usr/X11R6/lib)
+From 5baf73feb4951cc3b3f553a4b18d3b3599cbf87c Mon Sep 17 00:00:00 2001
+From: Michal Domonkos <mdomonko@redhat.com>
+Date: Fri, 25 Jun 2021 11:21:46 +0200
+Subject: [PATCH 1/6] Always free the arg list passed to rpmGlob()
+
+Even though the actual implementation of rpmGlob() does not allocate the
+passed arg list (av) if the return code (rc) is non-zero or arg count
+(ac) is 0, it's the responsibility of the caller (rpmInstall() here) to
+free that memory, so make sure we do that irrespectively of the above
+conditions.
+
+Found by Coverity.
+---
+ lib/rpminstall.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/rpminstall.c b/lib/rpminstall.c
+index 724126e94..302ec0ba1 100644
+--- a/lib/rpminstall.c
++++ b/lib/rpminstall.c
+@@ -461,6 +461,7 @@ int rpmInstall(rpmts ts, struct rpmInstallArguments_s * ia, ARGV_t fileArgv)
+ 		rpmlog(RPMLOG_ERR, _("File not found by glob: %s\n"), *eiu->fnp);
+ 	    }
+ 	    eiu->numFailed++;
++	    argvFree(av);
+ 	    continue;
+ 	}
+ 
+-- 
+2.31.1
+
+From 3c8b01b67ec907afaaffe71691fa41b878578527 Mon Sep 17 00:00:00 2001
+From: Michal Domonkos <mdomonko@redhat.com>
+Date: Mon, 14 Jun 2021 10:21:25 +0200
+Subject: [PATCH 2/6] Fix resource leak in Fts_children()
+
+This function is not used anywhere within our codebase (and neither is
+it part of the public API) so it's basically a no-op... Still, rather
+than yanking it completely, let's just silence the Coverity error here.
+
+Found by Coverity.
+---
+ misc/fts.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/misc/fts.c b/misc/fts.c
+index d3ebb2946..caf27495d 100644
+--- a/misc/fts.c
++++ b/misc/fts.c
+@@ -585,8 +585,10 @@ Fts_children(FTS * sp, int instr)
+ 	if ((fd = __open(".", O_RDONLY, 0)) < 0)
+ 		return (NULL);
+ 	sp->fts_child = fts_build(sp, instr);
+-	if (__fchdir(fd))
++	if (__fchdir(fd)) {
++		(void)__close(fd);
+ 		return (NULL);
++	}
+ 	(void)__close(fd);
+ 	return (sp->fts_child);
+ }
+-- 
+2.31.1
+
+From 39b7bf8579e0522cf16347b3a7e332d3b6d742c6 Mon Sep 17 00:00:00 2001
+From: Michal Domonkos <mdomonko@redhat.com>
+Date: Mon, 14 Jun 2021 12:34:23 +0200
+Subject: [PATCH 3/6] Fix memory leak in fts_build()
+
+Turns out this leak is already fixed in glibc's current version of fts.c
+(where our copy originates from), so let's just backport that.
+
+Original commit in glibc:
+https://sourceware.org/git/?p=glibc.git;\
+a=commit;h=db67c2c98b89a5723af44df54f38b779de8d4a65
+
+Found by Coverity.
+---
+ misc/fts.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/misc/fts.c b/misc/fts.c
+index caf27495d..f7fce0eaa 100644
+--- a/misc/fts.c
++++ b/misc/fts.c
+@@ -855,6 +855,7 @@ mem1:				saved_errno = errno;
+ 	     fts_safe_changedir(sp, cur->fts_parent, -1, ".."))) {
+ 		cur->fts_info = FTS_ERR;
+ 		SET(FTS_STOP);
++		fts_lfree(head);
+ 		return (NULL);
+ 	}
+ 
+@@ -862,6 +863,7 @@ mem1:				saved_errno = errno;
+ 	if (!nitems) {
+ 		if (type == BREAD)
+ 			cur->fts_info = FTS_DP;
++		fts_lfree(head);
+ 		return (NULL);
+ 	}
+ 
+-- 
+2.31.1
+
+From 9c093c4f092dd6bd1e0c8d2b852a72b74db076c2 Mon Sep 17 00:00:00 2001
+From: Michal Domonkos <mdomonko@redhat.com>
+Date: Tue, 15 Jun 2021 13:34:21 +0200
+Subject: [PATCH 4/6] Fix memory leak in decodePkts()
+
+Found by Coverity.
+---
+ rpmio/rpmpgp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
+index c59185dce..ee5c81e24 100644
+--- a/rpmio/rpmpgp.c
++++ b/rpmio/rpmpgp.c
+@@ -1371,9 +1371,13 @@ static pgpArmor decodePkts(uint8_t *b, uint8_t **pkt, size_t *pktlen)
+ 	    crc = pgpCRC(dec, declen);
+ 	    if (crcpkt != crc) {
+ 		ec = PGPARMOR_ERR_CRC_CHECK;
++		_free(dec);
+ 		goto exit;
+ 	    }
+-	    if (pkt) *pkt = dec;
++	    if (pkt)
++		*pkt = dec;
++	    else
++		_free(dec);
+ 	    if (pktlen) *pktlen = declen;
+ 	    ec = PGPARMOR_PUBKEY;	/* XXX ASCII Pubkeys only, please. */
+ 	    goto exit;
+-- 
+2.31.1
+
+From 590b2fc06252567eb7d57197dc361a8b459d62a3 Mon Sep 17 00:00:00 2001
+From: Michal Domonkos <mdomonko@redhat.com>
+Date: Mon, 21 Jun 2021 17:51:14 +0200
+Subject: [PATCH 5/6] Fix memory leak with multiple %lang-s in one line
+
+We permit two equivalent forms of specifying a list of languages per
+file:
+
+  %lang(xx,yy,zz) /path/to/file
+  %lang(xx) %lang(yy) %lang(zz) /path/to/file
+
+The leak was when parsing the second form.
+
+Found by Coverity.
+---
+ build/files.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/build/files.c b/build/files.c
+index f8153ad2b..0c8859f6c 100644
+--- a/build/files.c
++++ b/build/files.c
+@@ -777,6 +777,8 @@ static rpmRC parseForLang(char * buf, FileEntry cur)
+ 
+ 	if (*pe == ',') pe++;	/* skip , if present */
+     }
++
++    q = _free(q);
+   }
+ 
+     rc = RPMRC_OK;
+-- 
+2.31.1
+
+From b7a1e996326ee29a163d67ceb1e6127fdc251c14 Mon Sep 17 00:00:00 2001
+From: Michal Domonkos <mdomonko@redhat.com>
+Date: Fri, 25 Jun 2021 15:15:08 +0200
+Subject: [PATCH 6/6] Fix memory leaks in Lua rex extension
+
+This covers the following usage:
+
+expr = rex.newPOSIX(<regex>)
+expr:match(<string>)           # A leak occurred here
+expr:gmatch(<string>, <func>)  # A leak occurred here
+
+Found by Coverity.
+---
+ luaext/lrexlib.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/luaext/lrexlib.c b/luaext/lrexlib.c
+index 09c5a6454..0f29b6371 100644
+--- a/luaext/lrexlib.c
++++ b/luaext/lrexlib.c
+@@ -80,6 +80,7 @@ static void rex_push_matches(lua_State *L, const char *text, regmatch_t *match,
+ 
+ static int rex_match(lua_State *L)
+ {
++  int rc = 0;
+   int res;
+ #ifdef REG_BASIC
+   size_t len;
+@@ -109,9 +110,10 @@ static int rex_match(lua_State *L)
+     lua_pushstring(L, "n");
+     lua_pushnumber(L, ncapt);
+     lua_rawset(L, -3);
+-    return 3;
+-  } else
+-    return 0;
++    rc = 3;
++  }
++  free(match);
++  return rc;
+ }
+ 
+ static int rex_gmatch(lua_State *L)
+@@ -158,6 +160,7 @@ static int rex_gmatch(lua_State *L)
+       break;
+   }
+   lua_pushnumber(L, nmatch);
++  free(match);
+   return 1;
+ }
+ 
+-- 
+2.31.1
+
diff --git a/rpm.spec b/rpm.spec
index 571506d..5fd1b33 100644
--- a/rpm.spec
+++ b/rpm.spec
@@ -32,7 +32,7 @@
 
 %global rpmver 4.16.1.3
 #global snapver rc1
-%global rel 1
+%global rel 2
 %global sover 9
 
 %global srcver %{rpmver}%{?snapver:-%{snapver}}
@@ -48,7 +48,7 @@
 Summary: The RPM package management system
 Name: rpm
 Version: %{rpmver}
-Release: %{?snapver:0.%{snapver}.}%{rel}%{?dist}.2
+Release: %{?snapver:0.%{snapver}.}%{rel}%{?dist}
 Url: http://www.rpm.org/
 Source0: http://ftp.rpm.org/releases/%{srcdir}/rpm-%{srcver}.tar.bz2
 %if %{with bdb} && %{with int_bdb}
@@ -68,6 +68,7 @@ Patch6: 0001-find-debuginfo.sh-decompress-DWARF-compressed-ELF-se.patch
 Patch7: 0001-Issue-deprecation-warning-when-creating-BDB-database.patch
 
 # Patches already upstream:
+Patch100: rpm-4.16.1.3-imp-covscan-fixes.patch
 
 # These are not yet upstream
 Patch906: rpm-4.7.1-geode-i686.patch
@@ -575,6 +576,9 @@ fi
 %doc doc/librpm/html/*
 
 %changelog
+* Tue Jun 29 2021 Michal Domonkos <mdomonko@redhat.com> - 4.16.1.3-2
+- Address important covscan issues (#1938861)
+
 * Tue Jun 15 2021 Mohan Boddu <mboddu@redhat.com> - 4.16.1.3-1.2
 - Rebuilt for RHEL 9 BETA for openssl 3.0. Related: rhbz#1971065