--- src/compress.c.orig
+++ src/compress.c
@@ -256,7 +256,7 @@ file_pipe2file(struct magic_set *ms, int
 		errno = r;
 	}
 #else
-	tfd = mkstemp(buf);
+	tfd = mkostemp(buf, O_CLOEXEC);
 	te = errno;
 	(void)unlink(buf);
 	errno = te;
--- src/apprentice.c.orig
+++ src/apprentice.c
@@ -676,7 +676,7 @@ load_1(struct magic_set *ms, int action,
 	char *line = NULL;
 	ssize_t len;
 
-	FILE *f = fopen(ms->file = fn, "r");
+	FILE *f = fopen(ms->file = fn, "re");
 	if (f == NULL) {
 		if (errno != ENOENT)
 			file_error(ms, errno, "cannot read magic file `%s'",
@@ -2226,7 +2226,7 @@ apprentice_map(struct magic_set *ms, str
 	if (dbname == NULL)
 		goto error2;
 
-	if ((fd = open(dbname, O_RDONLY|O_BINARY)) == -1)
+	if ((fd = open(dbname, O_RDONLY|O_BINARY|O_CLOEXEC)) == -1)
 		goto error2;
 
 	if (fstat(fd, &st) == -1) {
@@ -2324,7 +2324,7 @@ apprentice_compile(struct magic_set *ms,
 	if (dbname == NULL) 
 		goto out;
 
-	if ((fd = open(dbname, O_WRONLY|O_CREAT|O_TRUNC|O_BINARY, 0644)) == -1) {
+	if ((fd = open(dbname, O_WRONLY|O_CREAT|O_TRUNC|O_BINARY|O_CLOEXEC, 0644)) == -1) {
 		file_error(ms, errno, "cannot open `%s'", dbname);
 		goto out;
 	}
--- src/magic.c.orig
+++ src/magic.c
@@ -411,7 +411,7 @@ file_or_fd(struct magic_set *ms, const c
 		if (fstat(fd, &sb) == 0 && S_ISFIFO(sb.st_mode))
 			ispipe = 1;
 	} else {
-		int flags = O_RDONLY|O_BINARY;
+		int flags = O_RDONLY|O_BINARY|O_CLOEXEC;
 
 		if (stat(inname, &sb) == 0 && S_ISFIFO(sb.st_mode)) {
 #ifdef O_NONBLOCK
--- src/file.c.orig
+++ src/file.c
@@ -385,7 +385,7 @@ unwrap(struct magic_set *ms, const char
 		f = stdin;
 		wid = 1;
 	} else {
-		if ((f = fopen(fn, "r")) == NULL) {
+		if ((f = fopen(fn, "re")) == NULL) {
 			(void)fprintf(stderr, "%s: Cannot open `%s' (%s).\n",
 			    progname, fn, strerror(errno));
 			return 1;