HMAC is not just used in SSL. It's a commonly employed in a lot of protocols. It's an additional level of complexity beyond a 'broken' hash to compromise HMAC.
A hash is compromised if you can find a collision faster than brute force. Even if you have no control over the data it is broken.
It is more dangerously/practically broken if you can control generating two sets of data that hash to the same value. This is where MD5 is IIRC
It is even more critically broken if, given an image that you do not control, you can generate your own data to hash to the same value.
HMAC requires that the data combined in a useful way with some shared secret hashes to the given value. An attacker is missing part of the image that would require to be attacked, and that missing part is applied to the image in a way that makes it resilient to prefix and append attacks. SHA-1 and MD5 are weaker by virtue of brute force being easier in an HMAC context, but I don't think I've heard either of them as being 'broken' in context of HMAC. An example would be if someone figured out how to change arbitrary middle part of an image and have the hash work out correctly regardless of the secret data (if it collides, that might not be the desired effect, it would have to match what the image would have after being combined with the unknown key)