src/cmd/go/internal/work/exec.go     | 8 ++++++++
 src/cmd/go/internal/work/security.go | 1 +

diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go
index f2d1b1040b223b1f2a50435277032b1b797c44f3..311e96130835d52abe4e356dda366791d13671bb 100644
--- a/src/cmd/go/internal/work/exec.go
+++ b/src/cmd/go/internal/work/exec.go
@@ -1788,6 +1788,14 @@ 			if !load.SafeArg(pkg) {
 				return nil, nil, fmt.Errorf("invalid pkg-config package name: %s", pkg)
 			}
 		}
+
+		// Running 'pkg-config' can cause execution of
+		// arbitrary code using flags that are not in
+		// the safelist.
+		if err := checkCompilerFlags("CFLAGS", "pkg-config --cflags", pcflags); err != nil {
+			return nil, nil, err
+		}
+
 		var out []byte
 		out, err = sh.runOut(p.Dir, nil, b.PkgconfigCmd(), "--cflags", pcflags, "--", pkgs)
 		if err != nil {
diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
index ffa83e05917d5241bf50ca45fed376dd6b48560b..80b3f8797cc3cee1574931394e11e2ccd98cf05d 100644
--- a/src/cmd/go/internal/work/security.go
+++ b/src/cmd/go/internal/work/security.go
@@ -129,6 +129,7 @@ 	re(`--param=ssp-buffer-size=[0-9]*`),
 	re(`-pedantic(-errors)?`),
 	re(`-pipe`),
 	re(`-pthread`),
+	re(`--static`),
 	re(`-?-std=([^@\-].*)`),
 	re(`-?-stdlib=([^@\-].*)`),
 	re(`--sysroot=([^@\-].*)`),