The final signature by itself is malleable, because for every ECDSA signature (r,s), the signature (r, -s (mod N)) is also a valid signature (of the same message.)
This can be solved by requiring that "s" always be an even number. Since N is odd, only one signature is accepted as canonical.
Correct. I found a summary here:
https://gist.github.com/sipa/8907691If I understand this correctly, (1)-(2) in this list should prevent evil* malleability. (It's only interesting to protect the signature itself, as all the other stuff cannot be modified as that would invalidate the signature.) Can someone confirm this?
*evil = eavesdropping and then modify transaction by someone who does not have access to private key