Ok, actually went and found the code in question. Yes it does appear that the hash is the same because it is generated from the tx to sign, not the full tx. So no the attack will not work as described, but it does seem that one could get it to accept an invalid transaction such that the first signature in the transaction was correct but a later input with the same key could have an invalid signature like the one described in the original post and still get accepted due to the cache.
The point is that signature is correct, if it is correct for the hash and public key combination. This is not violated by the code.
If the hash would not contain information needed, then this would be a design problem for the bitcoin protocol itself, since the bitsofproof supernode implements that correctly (otherwise it would not validate the entire chain and testnet3). Let us think about this longer...