diff --git a/pkgs/servers/x11/xorg/overrides.nix b/pkgs/servers/x11/xorg/overrides.nix
index fb8b5856ecb1..8c073c29c12d 100644
--- a/pkgs/servers/x11/xorg/overrides.nix
+++ b/pkgs/servers/x11/xorg/overrides.nix
@@ -188,7 +188,6 @@ in
     patches =
       [ ./xorgserver-dri-path.patch
         ./xorgserver-xkbcomp-path.patch
-        ./xorgserver-cve-2013-4396.patch
       ];
     buildInputs = attrs.buildInputs ++ [ xtrans ];
     propagatedBuildInputs =
diff --git a/pkgs/servers/x11/xorg/xorgserver-cve-2013-4396.patch b/pkgs/servers/x11/xorg/xorgserver-cve-2013-4396.patch
deleted file mode 100644
index 4b6727e61c05..000000000000
--- a/pkgs/servers/x11/xorg/xorgserver-cve-2013-4396.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 7bddc2ba16a2a15773c2ea8947059afa27727764 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Mon, 16 Sep 2013 21:47:16 -0700
-Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText()
- [CVE-2013-4396]
-
-Save a pointer to the passed in closure structure before copying it
-and overwriting the *c pointer to point to our copy instead of the
-original.  If we hit an error, once we free(c), reset c to point to
-the original structure before jumping to the cleanup code that
-references *c.
-
-Since one of the errors being checked for is whether the server was
-able to malloc(c->nChars * itemSize), the client can potentially pass
-a number of characters chosen to cause the malloc to fail and the
-error path to be taken, resulting in the read from freed memory.
-
-Since the memory is accessed almost immediately afterwards, and the
-X server is mostly single threaded, the odds of the free memory having
-invalid contents are low with most malloc implementations when not using
-memory debugging features, but some allocators will definitely overwrite
-the memory there, leading to a likely crash.
-
-Reported-by: Pedro Ribeiro <pedrib@gmail.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Julien Cristau <jcristau@debian.org>
----
- dix/dixfonts.c |    5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/dix/dixfonts.c b/dix/dixfonts.c
-index feb765d..2e34d37 100644
---- a/dix/dixfonts.c
-+++ b/dix/dixfonts.c
-@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
-             GC *pGC;
-             unsigned char *data;
-             ITclosurePtr new_closure;
-+            ITclosurePtr old_closure;
- 
-             /* We're putting the client to sleep.  We need to
-                save some state.  Similar problem to that handled
-@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c)
-                 err = BadAlloc;
-                 goto bail;
-             }
-+            old_closure = c;
-             *new_closure = *c;
-             c = new_closure;
- 
-             data = malloc(c->nChars * itemSize);
-             if (!data) {
-                 free(c);
-+                c = old_closure;
-                 err = BadAlloc;
-                 goto bail;
-             }
-@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
-             if (!pGC) {
-                 free(c->data);
-                 free(c);
-+                c = old_closure;
-                 err = BadAlloc;
-                 goto bail;
-             }
-@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
-                 FreeScratchGC(pGC);
-                 free(c->data);
-                 free(c);
-+                c = old_closure;
-                 err = BadAlloc;
-                 goto bail;
-             }
--- 
-1.7.9.2
diff --git a/pkgs/servers/x11/xorg/xorgserver12-CVE-1940.patch b/pkgs/servers/x11/xorg/xorgserver12-CVE-1940.patch
deleted file mode 100644
index d85494f90293..000000000000
--- a/pkgs/servers/x11/xorg/xorgserver12-CVE-1940.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 6ca03b9161d33b1d2b55a3a1a913cf88deb2343f Mon Sep 17 00:00:00 2001
-From: Dave Airlie <airlied@gmail.com>
-Date: Wed, 10 Apr 2013 06:09:01 +0000
-Subject: xf86: fix flush input to work with Linux evdev devices.
-
-So when we VT switch back and attempt to flush the input devices,
-we don't succeed because evdev won't return part of an event,
-since we were only asking for 4 bytes, we'd only get -EINVAL back.
-
-This could later cause events to be flushed that we shouldn't have
-gotten.
-
-This is a fix for CVE-2013-1940.
-
-Signed-off-by: Dave Airlie <airlied@redhat.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
----
-diff --git a/hw/xfree86/os-support/shared/posix_tty.c b/hw/xfree86/os-support/shared/posix_tty.c
-index ab3757a..4d08c1e 100644
---- a/hw/xfree86/os-support/shared/posix_tty.c
-+++ b/hw/xfree86/os-support/shared/posix_tty.c
-@@ -421,7 +421,8 @@ xf86FlushInput(int fd)
- {
-     fd_set fds;
-     struct timeval timeout;
--    char c[4];
-+    /* this needs to be big enough to flush an evdev event. */
-+    char c[256];
- 
-     DebugF("FlushingSerial\n");
-     if (tcflush(fd, TCIFLUSH) == 0)
---
-cgit v0.9.0.2-2-gbebe