In either case it's not enough to break SHA256, it's also needed to break RIPEMD160 and ECDSA.
You could "just" break RIPEMD-160 & SHA-256 OR ECDSA (limited to addresses where the PubKey is known).
Find a PubKeyB such that for an existing PubKey A they both produce the same PubKeyHash.
i.e.
RIPEMD-160(SHA-256(SHA-256(PubKeyA)) == PubKeyHashA
RIPEMD-160(SHA-256(SHA-256(PubKeyB)) == PubKeyHashB
If PubKeyHashA == PubKeyHashB then the private key for either PubKeyA or PubKeyB can spend coins sent to Address A or B even if PubKeyA =/= PubKeyB.
Remember in a normal Bitcoin tx you are not paying to the PubKey you are paying to the hash of the PubKey.
1. How do you get Private Key B that's needed to sign the transaction?
2. Isn't address generation RIPEMD-160(SHA-256(PubKey)) rather than RIPEMD-160(SHA-256(SHA-256(PubKey))?