Whilst this is true, it looks like OpenWRT fixed the hash truncation but not the command injection.

I hope they're planning on fixing the command injection. As the blog post says, the created images are signed. Even without the signing, it's code execution from untrusted user input. And of course vulnerabilities can be strung together (just like in this hash collision case).