I tested detectcoll with the certificate used to sign the Flame malware, and it did not report a collision. libdetectcoll-0.2 does report a collision.

$ libdetectcoll-0.2/detectcollv flame.tbs.der
Found collision in block 11:
   dm: dm4=80000000 dm11=ffff8000 dm14=80000000
   ihv1=1ba33aac3a7f9ed70aec349b40390e85
   ihv2=9ba33aac3c7f60ee8cebf69bc2391085
md5 *coll* debad046c91a23e00ad0d19aa7d4cc6d flame.tbs.der
sha1 ba2499ba3dda9ef818f854b75a2bd1cd9f2b7bed flame.tbs.der

$ gopath/bin/detectcoll -md5 < flame.tbs.der
md5(-): debad046c91a23e00ad0d19aa7d4cc6d

I fetched the sample from line 578 here (attached as flame.pem.txt, you can compare to the certificate listed in the MS blogpost to verify it's the right one), then extracted the TBSCertificate part.

Inputs that are 56 bytes long (to be exact, inputs that are 56 + n*64 bytes long) get incorrect hashes calculated for both MD5 and SHA1. This is a result of the <= 56 check here and here. An input that's exactly 56 bytes long will have the 0x80 "end of message" padding byte placed at index 56, where it will be overwritten with the first byte of the message length.

To avoid this, the condition should be < 56 (or <= 55), i.e. the padding should start a second block if the length is 56 (or above).

I'm happy to provide a pull request including test cases, but as I mentioned in the other bug report, the company I work for insists on being added to the contributor list for all open source contributions of employees. Let me know if that works for you and I'll go get the necessary approvals.