The changes were to the isStandard() check.
No, they weren't. The real malleabiltiy fixes in 0.9 were in the wallet code.
(but indeed we did merge the changes from last September to expand the non-canonical forms to include the non-canonical pushes.)
Does Eligius include the malleability rules, even if it doesn't include general isStandard() checks?
Of course. It implements its own IsStandard() rules.
Looking at the code for changes, the only thing I could find
You were looking in the wrong place.
1) Inherent ECDSA signature malleability
- not fixed
0.9 authors transactions which always have low-S, this is the a prerequisite to making non-low-S non-canonical.
3) Superfluous scriptSig operations
- not fixed
Additional superfluous operations get blocked by IsStandard, IIRC.
6) Zero-padded number pushes
- not fixed
Though only relevant for multisig.
1) could be handled using the (disabled) OP_XOR opcode to verify if the signature was even.
You might as well say that it could be fixed using OP_S_EVEN ... "Disabled" OP code are no more existent than purely hypothetical ones and require no less effort to deploy. What Sipa proposes is that we make one of the version bits on transactions effectively a flag that controls enforcing a tighter set of canonical rules, including this one.
It claims on the wiki that OP_ADD etc. all use 32 bit numbers, but script.cpp seems to cast the scripts to BigNums.
You've misunderstood the code. Go look at the code that actually implements the cast.
If your scriptPubKey doesn't process any inputs as numbers, then 6) doesn't seem like a big deal.
Correct.
That suggests that except for the ECDSA signature malleability issue, transaction malleability is protected for blocks mined by pools which use isStandard().
"Protected" unless the attacker has the help of a miner. This is an adequate defense against griefing but doesn't make things like refund using protocols safe.