gce-compute-image-packages is vulnerable to arbitrary code execution. The vulnerability exists through a privilege escalation flaw where a user with membership to the “docker” group is able to run docker and mount the host OS, and to modify /etc/groups
to gain administrative privileges.
lists.opensuse.org/opensuse-security-announce/2020-07/msg00037.html
lists.opensuse.org/opensuse-security-announce/2020-07/msg00047.html
cloud.google.com/support/bulletins/#gcp-2020-008
github.com/GoogleCloudPlatform/guest-oslogin/pull/29
gitlab.com/gitlab-com/gl-security/gl-redteam/red-team-tech-notes/-/tree/master/oslogin-privesc-june-2020