Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The #cgo pkg-config: directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a –log-file argument to this directive, causing pkg-config to write to an attacker-controlled location.