diff --git a/SOURCES/which-2.21-coverity.patch b/SOURCES/which-2.21-coverity.patch
new file mode 100644
index 0000000..4a0a650
--- /dev/null
+++ b/SOURCES/which-2.21-coverity.patch
@@ -0,0 +1,62 @@
+diff -up which-2.21/tilde/tilde.c.coverity2 which-2.21/tilde/tilde.c
+--- which-2.21/tilde/tilde.c.coverity2	2021-03-21 21:04:34.691775991 +0100
++++ which-2.21/tilde/tilde.c	2021-03-21 21:13:36.853129481 +0100
+@@ -193,9 +193,8 @@ tilde_expand (string)
+      const char *string;
+ {
+   char *result;
+-  int result_size, result_index;
++  int result_size = 0, result_index = 0;
+ 
+-  result_index = result_size = 0;
+   result = strchr (string, '~');
+   if (result)
+     result = (char *)xmalloc (result_size = (strlen (string) + 16));
+@@ -271,7 +270,7 @@ isolate_tilde_prefix (fname, lenp)
+   char *ret;
+   int i;
+ 
+-  ret = (char *)xmalloc (strlen (fname));
++  ret = (char *)xmalloc (strlen (fname) + 1);
+ #if defined (__MSDOS__)
+   for (i = 1; fname[i] && fname[i] != '/' && fname[i] != '\\'; i++)
+ #else
+diff -up which-2.21/which.c.coverity2 which-2.21/which.c
+--- which-2.21/which.c.coverity2	2021-03-21 21:04:34.691775991 +0100
++++ which-2.21/which.c	2021-03-21 21:04:34.692775983 +0100
+@@ -76,8 +76,9 @@ static int skip_functions = 0, read_func
+ 
+ static char *find_command_in_path(const char *name, const char *path_list, int *path_index)
+ {
+-  char *found = NULL, *full_path;
++  char *found = NULL, *full_path = NULL;
+   int status, name_len;
++  char *p;
+ 
+   name_len = strlen(name);
+ 
+@@ -85,7 +86,6 @@ static char *find_command_in_path(const
+     absolute_path_given = 0;
+   else
+   {
+-    char *p;
+     absolute_path_given = 1;
+ 
+     if (abs_path)
+@@ -159,6 +159,7 @@ static char *find_command_in_path(const
+     free(full_path);
+   }
+ 
++  name = NULL; p = NULL; path_list = NULL;
+   return (found);
+ }
+ 
+@@ -540,7 +541,7 @@ int main(int argc, char *argv[])
+   int function_start_type = 0;
+   if (read_alias || read_functions)
+   {
+-    char buf[1024];
++    char buf[1024] = {};
+     int processing_aliases = read_alias;
+ 
+     if (isatty(0))
diff --git a/SOURCES/which2.sh b/SOURCES/which2.sh
index 25dd0de..8fc0284 100644
--- a/SOURCES/which2.sh
+++ b/SOURCES/which2.sh
@@ -1,7 +1,17 @@
-# Initialization script for bash and sh
+# shellcheck shell=sh
+# Initialization script for bash, sh, mksh and ksh
 
-if [ "$0" = "ksh" ] || [ "$0" = "-ksh" ] ; then
-  alias which='(alias; typeset -f) | /usr/bin/which --tty-only --read-alias --read-functions --show-tilde --show-dot'
-else
-  alias which='(alias; declare -f) | /usr/bin/which --tty-only --read-alias --read-functions --show-tilde --show-dot'
+_declare="declare -f"
+_opt="-f"
+
+if [ "$0" = "ksh" ] || [ "$0" = "-ksh" ] || [ "$0" = "mksh" ] || [ "$0" = "-mksh" ] ; then
+  _declare="typeset -f"
+  _opt=""
 fi
+ 
+which ()
+{
+(alias; eval ${_declare}) | /usr/bin/which --tty-only --read-alias --read-functions --show-tilde --show-dot "$@"
+}
+
+export ${_opt} which
diff --git a/SPECS/which.spec b/SPECS/which.spec
index 8f7f303..2838787 100644
--- a/SPECS/which.spec
+++ b/SPECS/which.spec
@@ -1,12 +1,13 @@
 Summary: Displays where a particular program in your path is located
 Name: which
 Version: 2.21
-Release: 12%{?dist}
+Release: 13%{?dist}
 License: GPLv3
 Source0: http://ftp.gnu.org/gnu/which/%{name}-%{version}.tar.gz
 Source1: which2.sh
 Source2: which2.csh
 Patch0: which-2.21-coverity-fixes.patch
+Patch1: which-2.21-coverity.patch
 Url: https://savannah.gnu.org/projects/which/
 BuildRequires:  gcc
 BuildRequires: readline-devel
@@ -18,6 +19,7 @@ the specified program is in your PATH.
 %prep
 %setup -q
 %patch0 -p1 -b .coverity
+%patch1 -p1 -b .coverity2
 
 %build
 %configure
@@ -39,6 +41,10 @@ rm -f $RPM_BUILD_ROOT%{_infodir}/dir
 %{_mandir}/man1/which.1*
 
 %changelog
+* Fri Mar 19 2021 Than Ngo <than@redhat.com> - 2.21-13
+- Resolves: #1940468, fixed syntax error caused by testcase: a=b which ls
+  Coverity issue
+
 * Tue Nov 19 2019 Than Ngo <than@redhat.com> - 2.21-12
 - Fixed coverity issue