FYI, RSA PKCS#1v1.5 signatures can be broken due to trivial implementation errors. 
From a cursory glance, all of these implementations are in C it seems like a C systemic issue, not an issue with RSA.
But I might be wrong because I've yet to read the paper.
(But again, haven't read the paper, also don't remember how bb signature forgery works)
(I'll read the paper but right now I'm in Hawaii doing snorkeling)
The bug is straightforward: RSA implementations don't verify all the bits in the padding, but rather "parse" it to find the digest, and then verify that. But there are, of course, bajillions of potential padded signature block representations that contain any given digest, since the block is so much bigger than the digest. For e=3, and for particularly naive implementations (like Firefox's, at the time) you can almost literally just formulate the signature block you want, then take its cube root to forge a signature.
Sorry to disapoint I did not do all the cryptopals :P filippo actually has a good blogpost on that attack IIRC.
(There are some set-7 problems I haven't done yet, for whatever that's worth. But e=3 sigs are a big one!)