On some platforms, char can be unsigned. Change the function
gnutls_x509_crl_set_version() to explicitly check for versions less than
one and reject them with GNUTLS_E_INVALID_REQUEST. This behaviour
matches the function's documentation (version must be 1, 2 or possibly
greater) and works even if char is unsigned.

--- gnutls-2.2.5/lib/x509/crl_write.c.old	2008-05-24 09:43:30.000000000 +0000
+++ gnutls-2.2.5/lib/x509/crl_write.c	2008-05-24 09:44:36.000000000 +0000
@@ -60,7 +60,7 @@
 gnutls_x509_crl_set_version (gnutls_x509_crl_t crl, unsigned int version)
 {
   int result;
-  char null = version;
+  char null;
 
   if (crl == NULL)
     {
@@ -68,9 +68,13 @@
       return GNUTLS_E_INVALID_REQUEST;
     }
 
-  null -= 1;
-  if (null < 0)
-    null = 0;
+  if (version < 1)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_INVALID_REQUEST;
+    }
+
+  null = version - 1;
 
   result = asn1_write_value (crl->crl, "tbsCertList.version", &null, 1);
   if (result != ASN1_SUCCESS)